################################################################ # ThreatFox IOCs: Suricata rules # # Last updated: 2025-05-14 09:57:06 UTC # # # # Terms Of Use: https://threatfox.abuse.ch/faq/#tos # # For questions please contact threatfox [at] abuse.ch # ################################################################ # alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stoshiloversdie.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1522217/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522217; rev:1;) alert tcp $HOME_NET any -> [24.177.67.19] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522216/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_14; classtype:trojan-activity; sid:91522216; rev:1;) alert tcp $HOME_NET any -> [212.11.64.175] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522215/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_14; classtype:trojan-activity; sid:91522215; rev:1;) alert tcp $HOME_NET any -> [195.123.211.151] 80 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522213/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522213; rev:1;) alert tcp $HOME_NET any -> [51.38.140.93] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522212/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522212; rev:1;) alert tcp $HOME_NET any -> [199.103.95.5] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522211/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522211; rev:1;) alert tcp $HOME_NET any -> [51.89.205.218] 7878 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522210/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522210; rev:1;) alert tcp $HOME_NET any -> [91.236.230.234] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522209/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_14; classtype:trojan-activity; sid:91522209; rev:1;) alert tcp $HOME_NET any -> [45.155.124.123] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522208/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522208; rev:1;) alert tcp $HOME_NET any -> [69.62.119.97] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522204/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522204; rev:1;) alert tcp $HOME_NET any -> [85.217.171.203] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522205/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522205; rev:1;) alert tcp $HOME_NET any -> [185.177.59.217] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522206/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522206; rev:1;) alert tcp $HOME_NET any -> [91.92.128.3] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522207/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522207; rev:1;) alert tcp $HOME_NET any -> [102.117.174.178] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522203/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522203; rev:1;) alert tcp $HOME_NET any -> [88.237.19.77] 3000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522200/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522200; rev:1;) alert tcp $HOME_NET any -> [88.237.19.77] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522201/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522201; rev:1;) alert tcp $HOME_NET any -> [23.95.106.22] 11240 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522202/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522202; rev:1;) alert tcp $HOME_NET any -> [188.218.201.194] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522198/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522198; rev:1;) alert tcp $HOME_NET any -> [144.172.104.135] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522199/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522199; rev:1;) alert tcp $HOME_NET any -> [206.189.158.128] 6156 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522196/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522196; rev:1;) alert tcp $HOME_NET any -> [191.96.207.241] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522197/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522197; rev:1;) alert tcp $HOME_NET any -> [8.141.113.34] 8002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522195/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522195; rev:1;) alert tcp $HOME_NET any -> [120.55.126.188] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522194/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6t.czlw.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1522193/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gamingglide.fun"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1522098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"forthepape.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1522099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522099; rev:1;) alert tcp $HOME_NET any -> [113.45.7.125] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522100; rev:1;) alert tcp $HOME_NET any -> [8.137.22.68] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522101; rev:1;) alert tcp $HOME_NET any -> [43.140.243.146] 5000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522102; rev:1;) alert tcp $HOME_NET any -> [118.178.132.223] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522103/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_14; classtype:trojan-activity; sid:91522103; rev:1;) alert tcp $HOME_NET any -> [212.11.64.175] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522104/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_14; classtype:trojan-activity; sid:91522104; rev:1;) alert tcp $HOME_NET any -> [110.42.67.92] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522105; rev:1;) alert tcp $HOME_NET any -> [128.90.113.56] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522106; rev:1;) alert tcp $HOME_NET any -> [181.162.142.255] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522109; rev:1;) alert tcp $HOME_NET any -> [23.145.40.182] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522107; rev:1;) alert tcp $HOME_NET any -> [176.65.141.106] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522108; rev:1;) alert tcp $HOME_NET any -> [124.223.31.188] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522115; rev:1;) alert tcp $HOME_NET any -> [94.156.144.8] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522110; rev:1;) alert tcp $HOME_NET any -> [182.254.226.64] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522114; rev:1;) alert tcp $HOME_NET any -> [34.16.98.59] 10443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522116; rev:1;) alert tcp $HOME_NET any -> [38.242.207.249] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522117/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522117; rev:1;) alert tcp $HOME_NET any -> [3.15.182.97] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522118; rev:1;) alert tcp $HOME_NET any -> [157.180.74.217] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522119; rev:1;) alert tcp $HOME_NET any -> [178.62.29.13] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522120; rev:1;) alert tcp $HOME_NET any -> [185.15.76.86] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522121; rev:1;) alert tcp $HOME_NET any -> [47.239.100.100] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522122; rev:1;) alert tcp $HOME_NET any -> [43.134.17.236] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522123; rev:1;) alert tcp $HOME_NET any -> [176.9.192.244] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522124; rev:1;) alert tcp $HOME_NET any -> [52.213.183.75] 8081 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522125; rev:1;) alert tcp $HOME_NET any -> [5.129.199.150] 49302 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522126; rev:1;) alert tcp $HOME_NET any -> [192.3.232.13] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522127; rev:1;) alert tcp $HOME_NET any -> [198.46.190.114] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522128; rev:1;) alert tcp $HOME_NET any -> [203.177.95.83] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522129; rev:1;) alert tcp $HOME_NET any -> [51.21.82.91] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522130; rev:1;) alert tcp $HOME_NET any -> [156.244.39.143] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522131; rev:1;) alert tcp $HOME_NET any -> [35.156.170.65] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522135; rev:1;) alert tcp $HOME_NET any -> [20.243.80.179] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522132; rev:1;) alert tcp $HOME_NET any -> [172.188.24.67] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522133; rev:1;) alert tcp $HOME_NET any -> [13.51.175.116] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522134; rev:1;) alert tcp $HOME_NET any -> [35.156.170.65] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522136; rev:1;) alert tcp $HOME_NET any -> [181.32.35.248] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522139; rev:1;) alert tcp $HOME_NET any -> [52.70.41.85] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522137; rev:1;) alert tcp $HOME_NET any -> [187.33.147.142] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522138; rev:1;) alert tcp $HOME_NET any -> [101.6.4.134] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522140; rev:1;) alert tcp $HOME_NET any -> [3.12.120.187] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522143; rev:1;) alert tcp $HOME_NET any -> [3.106.217.162] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522141; rev:1;) alert tcp $HOME_NET any -> [35.184.1.230] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522142; rev:1;) alert tcp $HOME_NET any -> [129.204.203.252] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"metatrader5.pw"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1522152/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_14; classtype:trojan-activity; sid:91522152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"guarda.su"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1522153/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_14; classtype:trojan-activity; sid:91522153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lobstergroowingto.sbs"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1522154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asdkjczxmeuw.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521815/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zxvnqwejlkgh.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521816/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mznvqiweurty.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521817/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plmzxqwieruo.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521818/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vxmnsdkjweqz.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521819/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpwalskdjzmx.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521820/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xnzwoeirplad.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521822/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwenmzlxktyu.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521823/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zmxncvaoiwqe.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521821/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nmasdqwpeiru.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521824/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qowuensmzxcv.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521825/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wqemzxncpiou.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521826/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zbqwmnzxopru.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521827/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xpoiwnzqlaks.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521828/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpeuwmxnzvka.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521829/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zcnvqpweoriu.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521830/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lksmzqwenxop.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521831/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oby2349.giize.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521832/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"envio07.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521833/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"api.playanext.com"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1521834/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qweiozmnxvla.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521813/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lkjzmxnqpwer.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521814/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"naroowlagendbend.sbs"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1522076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522076; rev:1;) alert tcp $HOME_NET any -> [185.156.72.72] 416 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522077; rev:1;) alert tcp $HOME_NET any -> [185.156.72.72] 419 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522078; rev:1;) alert tcp $HOME_NET any -> [185.156.72.72] 421 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522079; rev:1;) alert tcp $HOME_NET any -> [185.156.72.72] 426 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522080; rev:1;) alert tcp $HOME_NET any -> [185.156.72.72] 430 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522082; rev:1;) alert tcp $HOME_NET any -> [185.156.72.19] 427 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522081/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522081; rev:1;) alert tcp $HOME_NET any -> [185.156.72.72] 427 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522083; rev:1;) alert tcp $HOME_NET any -> [185.156.72.72] 418 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522084; rev:1;) alert tcp $HOME_NET any -> [185.156.72.72] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522085; rev:1;) alert tcp $HOME_NET any -> [185.156.72.72] 417 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522086; rev:1;) alert tcp $HOME_NET any -> [185.156.72.72] 423 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522087; rev:1;) alert tcp $HOME_NET any -> [185.156.72.72] 428 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522088; rev:1;) alert tcp $HOME_NET any -> [185.156.72.72] 425 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522089; rev:1;) alert tcp $HOME_NET any -> [185.156.72.72] 420 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522090; rev:1;) alert tcp $HOME_NET any -> [185.156.72.72] 422 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522095; rev:1;) alert tcp $HOME_NET any -> [185.156.72.72] 429 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522096; rev:1;) alert tcp $HOME_NET any -> [185.156.72.72] 424 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lygep.ru"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521842/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oct-estimation.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521810/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elon20252025subdominmain2025.duckdns.org"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521811/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hsjafklweqmn.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521812/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"manlichcopfbeet.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521808/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521808; rev:1;) alert tcp $HOME_NET any -> [46.3.197.109] 5977 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521809/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cujob.ru"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521798/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"entrinidad.cfd"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521799/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qaxib.ru"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521782/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gypuq.ru"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521752/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eduardocaballero5070.duckdns.org"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1522192/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522192; rev:1;) alert tcp $HOME_NET any -> [23.95.197.208] 1412 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522191/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_14; classtype:trojan-activity; sid:91522191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"barmgek.digital"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1522190/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"wordinfos.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1522189/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"digiscap.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1522188/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522188; rev:1;) alert tcp $HOME_NET any -> [178.75.102.190] 1595 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522187/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nzxtsh.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1522186/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"soundcloudxyinialol14881.duckdns.org"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1522185/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522185; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 57386 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522183/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522183; rev:1;) alert tcp $HOME_NET any -> [147.185.221.28] 35553 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522184/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ammarsy.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1522182/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"shiroweb-52633.portmap.host"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1522181/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522181; rev:1;) alert tcp $HOME_NET any -> [182.188.188.18] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522180/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522180; rev:1;) alert tcp $HOME_NET any -> [73.114.241.65] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522176/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522176; rev:1;) alert tcp $HOME_NET any -> [73.114.241.65] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522177/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522177; rev:1;) alert tcp $HOME_NET any -> [73.114.241.65] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522178/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522178; rev:1;) alert tcp $HOME_NET any -> [73.114.241.65] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522179/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/3as7fu4y"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1522175/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7671302806:aagmiasyex23evurp_7fyeivjprdcdi1cns/"; depth:51; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1522173/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7844826162:aahmkutzu62tupvnego_jski8esx0hupgsg/"; depth:51; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1522174/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"154.198.49.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1522172/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.79.214.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1522171/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522171; rev:1;) alert tcp $HOME_NET any -> [47.238.99.123] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522168; rev:1;) alert tcp $HOME_NET any -> [194.87.29.62] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522169/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522169; rev:1;) alert tcp $HOME_NET any -> [77.83.246.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522170; rev:1;) alert tcp $HOME_NET any -> [137.220.205.227] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522167; rev:1;) alert tcp $HOME_NET any -> [193.233.48.28] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522166/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522166; rev:1;) alert tcp $HOME_NET any -> [154.82.92.116] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522165; rev:1;) alert tcp $HOME_NET any -> [52.66.197.93] 33060 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522164/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522164; rev:1;) alert tcp $HOME_NET any -> [162.254.85.213] 8081 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522162/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522162; rev:1;) alert tcp $HOME_NET any -> [84.46.239.239] 9443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522163/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522163; rev:1;) alert tcp $HOME_NET any -> [185.125.218.138] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522160/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522160; rev:1;) alert tcp $HOME_NET any -> [51.210.241.127] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522161/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522161; rev:1;) alert tcp $HOME_NET any -> [118.31.114.149] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522158/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522158; rev:1;) alert tcp $HOME_NET any -> [1.92.100.230] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522159/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522159; rev:1;) alert tcp $HOME_NET any -> [8.134.80.60] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522157/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522157; rev:1;) alert tcp $HOME_NET any -> [192.238.128.191] 8444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522156/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linepollgeolongpollflowertracklocalcdntemporary.php"; depth:52; nocase; http.host; content:"034148cm.nyashware.ru"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1522155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index2.php"; depth:11; nocase; http.host; content:"flowers.hold-me-finger.xyz"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1522147/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cat-watches-site.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1522148/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cdn.findfakesnake.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1522149/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/res"; depth:4; nocase; http.host; content:"onedrive.office-note.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1522146/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_14; classtype:trojan-activity; sid:91522146; rev:1;) alert tcp $HOME_NET any -> [182.16.26.210] 56104 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522145; rev:1;) alert tcp $HOME_NET any -> [104.37.4.139] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522112; rev:1;) alert tcp $HOME_NET any -> [185.244.30.120] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522113; rev:1;) alert tcp $HOME_NET any -> [45.74.15.230] 3402 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522111; rev:1;) alert tcp $HOME_NET any -> [8.137.60.154] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522094/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_14; classtype:trojan-activity; sid:91522094; rev:1;) alert tcp $HOME_NET any -> [45.40.245.61] 3306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522093/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_14; classtype:trojan-activity; sid:91522093; rev:1;) alert tcp $HOME_NET any -> [34.30.162.132] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1522092/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_14; classtype:trojan-activity; sid:91522092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"132.162.30.34.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1522091/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_14; classtype:trojan-activity; sid:91522091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagelineprocessauthlongpollapilinuxgeneratorwppublic.php"; depth:58; nocase; http.host; content:"658055cm.nyashvibe.ru"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1522075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91522075; rev:1;) alert tcp $HOME_NET any -> [45.66.249.59] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521858/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_14; classtype:trojan-activity; sid:91521858; rev:1;) alert tcp $HOME_NET any -> [195.82.146.47] 8704 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521857/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521857; rev:1;) alert tcp $HOME_NET any -> [52.247.73.225] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521856/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521856; rev:1;) alert tcp $HOME_NET any -> [177.103.63.129] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521855/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521855; rev:1;) alert tcp $HOME_NET any -> [154.198.49.116] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521854/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521854; rev:1;) alert tcp $HOME_NET any -> [176.65.141.106] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521852/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521852; rev:1;) alert tcp $HOME_NET any -> [196.251.80.205] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521853/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521853; rev:1;) alert tcp $HOME_NET any -> [196.251.80.110] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521851/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521851; rev:1;) alert tcp $HOME_NET any -> [167.114.215.75] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521849/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521849; rev:1;) alert tcp $HOME_NET any -> [88.237.19.77] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521850/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521850; rev:1;) alert tcp $HOME_NET any -> [103.190.81.180] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521848/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521848; rev:1;) alert tcp $HOME_NET any -> [143.244.185.65] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521847/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521847; rev:1;) alert tcp $HOME_NET any -> [52.247.73.225] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521845/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521845; rev:1;) alert tcp $HOME_NET any -> [46.101.169.156] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521846/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521846; rev:1;) alert tcp $HOME_NET any -> [45.192.99.197] 9997 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521844/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521844; rev:1;) alert tcp $HOME_NET any -> [110.42.232.120] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521843/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_14; classtype:trojan-activity; sid:91521843; rev:1;) alert tcp $HOME_NET any -> [47.83.15.102] 7777 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521841/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521841; rev:1;) alert tcp $HOME_NET any -> [185.208.158.206] 5145 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521837/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521837; rev:1;) alert tcp $HOME_NET any -> [95.219.229.29] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521807/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91521807; rev:1;) alert tcp $HOME_NET any -> [75.2.47.6] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521806/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91521806; rev:1;) alert tcp $HOME_NET any -> [70.27.138.41] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521805/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91521805; rev:1;) alert tcp $HOME_NET any -> [47.246.50.110] 4506 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521804/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91521804; rev:1;) alert tcp $HOME_NET any -> [45.87.246.156] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521803/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91521803; rev:1;) alert tcp $HOME_NET any -> [45.33.88.161] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521802/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91521802; rev:1;) alert tcp $HOME_NET any -> [217.160.208.94] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521801/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91521801; rev:1;) alert tcp $HOME_NET any -> [193.92.250.206] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521800/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91521800; rev:1;) alert tcp $HOME_NET any -> [119.3.166.133] 18443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521797/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521797; rev:1;) alert tcp $HOME_NET any -> [20.67.235.113] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521796/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521796; rev:1;) alert tcp $HOME_NET any -> [204.48.27.82] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521795/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521795; rev:1;) alert tcp $HOME_NET any -> [154.198.49.116] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521793/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521793; rev:1;) alert tcp $HOME_NET any -> [45.79.214.249] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521794/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521794; rev:1;) alert tcp $HOME_NET any -> [196.251.80.180] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521791/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521791; rev:1;) alert tcp $HOME_NET any -> [139.84.168.224] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521792/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521792; rev:1;) alert tcp $HOME_NET any -> [3.215.185.215] 8001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521790/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521790; rev:1;) alert tcp $HOME_NET any -> [5.22.215.2] 8000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521789/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521789; rev:1;) alert tcp $HOME_NET any -> [46.101.169.156] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521788/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521788; rev:1;) alert tcp $HOME_NET any -> [104.37.172.225] 14645 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521787/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521787; rev:1;) alert tcp $HOME_NET any -> [195.82.147.97] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521785/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521785; rev:1;) alert tcp $HOME_NET any -> [172.111.150.194] 3872 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521786/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521786; rev:1;) alert tcp $HOME_NET any -> [45.192.99.197] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521784/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521784; rev:1;) alert tcp $HOME_NET any -> [45.192.99.197] 9998 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521783/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2avt578pjv"; depth:11; nocase; http.host; content:"captcha.xajy.press"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521781/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521781; rev:1;) alert tcp $HOME_NET any -> [18.141.106.224] 11729 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521751/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521751; rev:1;) alert tcp $HOME_NET any -> [52.77.3.235] 11729 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521750/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521750; rev:1;) alert tcp $HOME_NET any -> [54.169.93.143] 11729 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521749/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521749; rev:1;) alert tcp $HOME_NET any -> [52.74.74.86] 11729 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521748/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521748; rev:1;) alert tcp $HOME_NET any -> [3.1.16.19] 11729 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521747/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nildr0uhd0xf2wkhjxsagal67pzbxnpg"; depth:33; nocase; http.host; content:"directxapps.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521745/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs/select.js"; depth:13; nocase; http.host; content:"lx7v9.top"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521709/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lx7v9.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521711/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs/lll.php"; depth:11; nocase; http.host; content:"lx7v9.top"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521712/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/leks.zip"; depth:20; nocase; http.host; content:"daviddarle.fr"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521713/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cylud.ru"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521718/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521718; rev:1;) alert tcp $HOME_NET any -> [192.241.129.238] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521716/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jevun.ru"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521715/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521715; rev:1;) alert tcp $HOME_NET any -> [47.108.182.192] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521717/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bedym.ru"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521740/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521740; rev:1;) alert tcp $HOME_NET any -> [91.212.166.68] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521744/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521744; rev:1;) alert tcp $HOME_NET any -> [103.156.25.10] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521743/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521743; rev:1;) alert tcp $HOME_NET any -> [206.217.136.195] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521742/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91521742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cloud.fitcloud.ip-ddns.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521741/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91521741; rev:1;) alert tcp $HOME_NET any -> [83.136.255.63] 8080 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521739/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.exchangeodds.live"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521738/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521738; rev:1;) alert tcp $HOME_NET any -> [45.155.124.123] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521737/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521737; rev:1;) alert tcp $HOME_NET any -> [93.232.110.241] 81 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521736/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521736; rev:1;) alert tcp $HOME_NET any -> [181.235.5.14] 8090 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521735/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521735; rev:1;) alert tcp $HOME_NET any -> [89.40.31.201] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521734/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521734; rev:1;) alert tcp $HOME_NET any -> [48.210.87.192] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521733/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521733; rev:1;) alert tcp $HOME_NET any -> [118.107.42.205] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521730/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521730; rev:1;) alert tcp $HOME_NET any -> [154.58.204.42] 2053 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521731/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521731; rev:1;) alert tcp $HOME_NET any -> [118.107.42.203] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521732/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521732; rev:1;) alert tcp $HOME_NET any -> [176.65.134.77] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521729/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521729; rev:1;) alert tcp $HOME_NET any -> [88.151.192.114] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521728/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521728; rev:1;) alert tcp $HOME_NET any -> [4.247.18.217] 8090 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521727/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521727; rev:1;) alert tcp $HOME_NET any -> [196.251.117.82] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521725/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521725; rev:1;) alert tcp $HOME_NET any -> [46.246.82.16] 8090 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521726/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521726; rev:1;) alert tcp $HOME_NET any -> [176.65.138.19] 2080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521723; rev:1;) alert tcp $HOME_NET any -> [186.169.82.245] 8888 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521724/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521724; rev:1;) alert tcp $HOME_NET any -> [113.44.67.208] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521721; rev:1;) alert tcp $HOME_NET any -> [47.105.108.63] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521722/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521722; rev:1;) alert tcp $HOME_NET any -> [124.243.182.13] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521719/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521719; rev:1;) alert tcp $HOME_NET any -> [118.145.185.128] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521720/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521720; rev:1;) alert tcp $HOME_NET any -> [147.185.221.28] 23974 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521714/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"really-laundry.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521710/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/qsc2pnjk"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521708/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521708; rev:1;) alert tcp $HOME_NET any -> [54.39.19.186] 47825 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521706/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521706; rev:1;) alert tcp $HOME_NET any -> [76.121.13.90] 5353 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521707/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"wizz111.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521705/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server3.retoti.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521691/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server3.trumops.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521692/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server4.retoti.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521693/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server4.trumops.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521694/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server5.retoti.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521695/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server5.trumops.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521696/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server6.retoti.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521697/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server6.trumops.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521698/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server7.retoti.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521699/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server7.trumops.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521700/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server8.retoti.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521701/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server8.trumops.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521702/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server9.retoti.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521703/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server9.trumops.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521704/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server1.retoti.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521685/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server1.trumops.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521686/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server10.retoti.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521687/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server10.trumops.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521688/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server2.retoti.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521689/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server2.trumops.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521690/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"fetdmpg7z.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521684/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"35.79.162.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521683/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521683; rev:1;) alert tcp $HOME_NET any -> [165.227.204.99] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521682/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521682; rev:1;) alert tcp $HOME_NET any -> [181.131.217.135] 9001 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521681/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521681; rev:1;) alert tcp $HOME_NET any -> [103.214.108.82] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521680/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521680; rev:1;) alert tcp $HOME_NET any -> [3.25.189.37] 3562 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521679/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521679; rev:1;) alert tcp $HOME_NET any -> [95.131.202.38] 5986 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521678/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521678; rev:1;) alert tcp $HOME_NET any -> [91.103.140.247] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521676/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521676; rev:1;) alert tcp $HOME_NET any -> [96.9.124.125] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521677/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521677; rev:1;) alert tcp $HOME_NET any -> [140.143.132.170] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521675/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91521675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dyky.press"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"metatrader5.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521636/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_13; classtype:trojan-activity; sid:91521636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"ledger-en.pro"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521637/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_13; classtype:trojan-activity; sid:91521637; rev:1;) alert tcp $HOME_NET any -> [8.134.70.73] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521639/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521639; rev:1;) alert tcp $HOME_NET any -> [107.173.35.54] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521638; rev:1;) alert tcp $HOME_NET any -> [185.43.4.73] 21 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521640/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kihqk.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/siglost"; depth:8; nocase; http.host; content:"settings-win-data-microsoft.live"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521655/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"settings-win-data-microsoft.live"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521656/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zovdt.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521657/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"electnum.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521658/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91521658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot8163109147:aae4j4bk-oab322fektdloydlrwfphluxke/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"27.106.125.187"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lv/xf_addon.js"; depth:15; nocase; http.host; content:"soap2dayfree.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"soap2dayfree.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521665/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lv/select.js"; depth:13; nocase; http.host; content:"soap2dayfree.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lv/lll.php"; depth:11; nocase; http.host; content:"soap2dayfree.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521667/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/bule.zip"; depth:20; nocase; http.host; content:"daviddarle.fr"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521668/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"daviddarle.fr"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.oceandentalcare.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521670/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kypa.press"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521671/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profilelayout"; depth:14; nocase; http.host; content:"www.oceandentalcare.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521672/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wydi.press"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521673; rev:1;) alert tcp $HOME_NET any -> [149.56.201.216] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521662/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91521662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zavc"; depth:5; nocase; http.host; content:"beasterxeen.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521661/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91521661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baneb"; depth:6; nocase; http.host; content:"baraucahkbm.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521660/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91521660; rev:1;) alert tcp $HOME_NET any -> [45.95.175.213] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521654; rev:1;) alert tcp $HOME_NET any -> [41.216.189.248] 5555 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521653; rev:1;) alert tcp $HOME_NET any -> [81.0.247.170] 7080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521652/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521652; rev:1;) alert tcp $HOME_NET any -> [45.155.124.123] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521651/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521651; rev:1;) alert tcp $HOME_NET any -> [34.60.162.2] 3389 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521650; rev:1;) alert tcp $HOME_NET any -> [79.110.49.229] 7001 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521649; rev:1;) alert tcp $HOME_NET any -> [23.94.99.5] 5555 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521648; rev:1;) alert tcp $HOME_NET any -> [198.46.228.233] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521647/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521647; rev:1;) alert tcp $HOME_NET any -> [196.251.114.17] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darlon2025.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521646; rev:1;) alert tcp $HOME_NET any -> [107.150.0.244] 26339 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521644; rev:1;) alert tcp $HOME_NET any -> [107.173.210.67] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521643; rev:1;) alert tcp $HOME_NET any -> [38.207.176.60] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521642/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521642; rev:1;) alert tcp $HOME_NET any -> [80.82.77.139] 56206 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521633/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cornerdurv.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521634/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testcawepr.run"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521635/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sc.0x504.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521632/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmiok.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dtd.gcdxw.space"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521630/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"watermelonbins.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521631/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nwire.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"i-control.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521615/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mhayet.myftp.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521616/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"singleangle.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521617/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"word.word.hopto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521618/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elmajik.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521619/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reishack.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521620/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alsahali.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521621/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m0sagal.linkpc.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521622/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mgoodoo.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521623/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dllcautah22.mooo.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521624/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"butah22.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521625/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mynoipghost.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521626/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewjll.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521627/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sihacker40.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521628/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521628; rev:1;) alert tcp $HOME_NET any -> [94.154.46.141] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521603/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521603; rev:1;) alert tcp $HOME_NET any -> [217.122.114.86] 8254 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521604/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521604; rev:1;) alert tcp $HOME_NET any -> [62.35.84.167] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521605/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521605; rev:1;) alert tcp $HOME_NET any -> [87.178.162.248] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521606/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521606; rev:1;) alert tcp $HOME_NET any -> [72.196.12.45] 59138 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521607/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521607; rev:1;) alert tcp $HOME_NET any -> [62.109.5.76] 1890 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521608/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521608; rev:1;) alert tcp $HOME_NET any -> [173.0.1.203] 2808 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521609/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521609; rev:1;) alert tcp $HOME_NET any -> [178.237.139.118] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521610/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521610; rev:1;) alert tcp $HOME_NET any -> [88.247.162.153] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521611/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521611; rev:1;) alert tcp $HOME_NET any -> [94.221.85.225] 6789 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521612/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521612; rev:1;) alert tcp $HOME_NET any -> [81.57.39.10] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521613/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkcomm.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521596/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521596; rev:1;) alert tcp $HOME_NET any -> [109.201.165.20] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521597/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521597; rev:1;) alert tcp $HOME_NET any -> [1.4.145.129] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521598/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521598; rev:1;) alert tcp $HOME_NET any -> [86.25.234.230] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521599/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521599; rev:1;) alert tcp $HOME_NET any -> [89.130.95.145] 81 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521600/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521600; rev:1;) alert tcp $HOME_NET any -> [176.251.222.24] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521601/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521601; rev:1;) alert tcp $HOME_NET any -> [84.162.182.157] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521602/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bobokokofull.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521587/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mjahanzaib.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521588/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raulrl555.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521589/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zemmour.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521590/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bilo2.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521591/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arwen.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521592/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"molest.bounceme.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521593/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windowsupdatedns.sytes.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521594/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w1dlolz.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521595/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"echo13.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521561/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anpeiliang.3322.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"angiebyr.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521563/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r6full.dyndns.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521564/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"873j2jm.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521565/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"giviker.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521566/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"back.entrydns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521567/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkcomettr.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521568/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"markveenstra.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521569/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poohbear.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521570/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"new-legend.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521571/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kabaal08.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521572/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ww2.myftp.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"koliseu.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521574/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noipkurd.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521575/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"socksproxy21.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521576/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sususu.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521577/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aymanalbasha.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521578/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"acro.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521579/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nexdablack.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521580/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xd04.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521581/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"artic4server.bounceme.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521582/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"derkleinestinker.no-ip.info"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521583/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ibigrat.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521584/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2o6powa.dyndns.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521585/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diablo39.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521586/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nemanjan00.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521534/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rosiesandra.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521535/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ccepic.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521536/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"masha.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521537/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bnhlogs.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521538/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d4rk.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521539/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"911ivana.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521540/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dodolover.dyndns.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521541/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrwan.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521542/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swmoonrt.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521543/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cg.boomscape.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521544/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blacksh4de.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521545/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kindos223.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521546/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servercontrol.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521547/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jazibaba.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521548/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windowsmicro.serveirc.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521549/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailtomedude.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521550/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bs.hsbc.com.al"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521551/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"janos.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521552/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abibenisev.dyndns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521553/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oujda.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521554/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"telemaintenance.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521555/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omon600.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521556/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soso6.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521557/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"egpt2.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521558/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerx6.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521559/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigfoooot.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521560/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hell222.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521506/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elmosquito.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521507/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ian2.fcuked.me.uk"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521508/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"davesteriscool.no-ip.info"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521509/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft.servehttp.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521510/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dcgen1.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521511/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goodluck.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521512/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thedarky.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521513/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nadico.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521514/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zabi1.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521515/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cantaprova1.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521516/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rexxxi.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521517/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pepito.servebeer.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521518/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lanixxx.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521519/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"host9.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521520/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poubelle707.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521521/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myvista.mine.nu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521522/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brandoon.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521523/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"florianhacker.zapto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521524/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"merkuzerk.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521525/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"damacana.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521526/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lamer.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521527/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rat12345.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521528/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"roonscape.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521529/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrtriplesam.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521530/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dekah.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521531/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abualaa-2.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521532/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"canony.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521533/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c"; depth:2; nocase; http.host; content:"elevatorupdawn.eu"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521494/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oyloexhu1gtb0wpy"; depth:17; nocase; http.host; content:"controlsync.at"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521495/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umnumoq9aprxlm1qmh"; depth:19; nocase; http.host; content:"controlsync.at"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521496/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skiracer.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521497/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icetea.sytes.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521498/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dog29.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521499/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cihatx2.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521500/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackingftw.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521501/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thedeathtoyouall.no-ip.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521502/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mydarkrat.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521503/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zoraffi.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521504/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manson19.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521505/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hpuex9yu0lfad7pjoxcl"; depth:21; nocase; http.host; content:"mobiportal.at"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521491/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5brj2flqq7wh7o72td"; depth:19; nocase; http.host; content:"unifyconsole.at"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521492/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/diiz8shhcf"; depth:11; nocase; http.host; content:"mobiportal.at"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521493/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521493; rev:1;) alert tcp $HOME_NET any -> [146.103.53.86] 23966 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521481/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521481; rev:1;) alert tcp $HOME_NET any -> [196.251.86.237] 415 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521482/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521482; rev:1;) alert tcp $HOME_NET any -> [45.13.225.203] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521483/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521483; rev:1;) alert tcp $HOME_NET any -> [149.88.87.187] 12345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521484/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521484; rev:1;) alert tcp $HOME_NET any -> [148.135.95.104] 12345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521485/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521485; rev:1;) alert tcp $HOME_NET any -> [45.143.166.71] 12345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521486/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521486; rev:1;) alert tcp $HOME_NET any -> [89.58.36.144] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521487/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521487; rev:1;) alert tcp $HOME_NET any -> [193.181.23.162] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521488/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521488; rev:1;) alert tcp $HOME_NET any -> [195.133.47.11] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521489/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521489; rev:1;) alert tcp $HOME_NET any -> [62.106.66.149] 12345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521490/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521490; rev:1;) alert tcp $HOME_NET any -> [209.141.48.207] 12345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521470/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521470; rev:1;) alert tcp $HOME_NET any -> [156.253.227.62] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521471/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521471; rev:1;) alert tcp $HOME_NET any -> [45.170.248.16] 12345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521472/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521472; rev:1;) alert tcp $HOME_NET any -> [156.253.227.62] 9999 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521473/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521473; rev:1;) alert tcp $HOME_NET any -> [31.58.58.113] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521474/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521474; rev:1;) alert tcp $HOME_NET any -> [148.135.95.104] 23977 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521475/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521475; rev:1;) alert tcp $HOME_NET any -> [87.121.84.102] 4444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521476/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521476; rev:1;) alert tcp $HOME_NET any -> [128.0.118.59] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521477/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521477; rev:1;) alert tcp $HOME_NET any -> [95.140.156.252] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521478/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521478; rev:1;) alert tcp $HOME_NET any -> [157.230.3.112] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521479/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521479; rev:1;) alert tcp $HOME_NET any -> [23.137.100.69] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521480/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"comunidad.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521468/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mayajaal.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521469/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flameon.ath.cx"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521441/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antileak.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521442/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lilidega.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521443/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rippiin.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521444/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"turkojantroyan.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521445/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahriiiii.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521446/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nice-apps.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521447/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"me.fisnikk.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521448/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"canearda2121.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521449/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"batata.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521450/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fr1zzyftw.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521451/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deathisland.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521452/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxrxx.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521453/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kriderat.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521454/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mr-extra1.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521455/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mr-nani.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521456/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"themasterrr.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521457/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"googlechrome.servegame.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521458/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkdwilliams.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521459/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thepiratebgserver.zapto.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521460/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azazsxsx14.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521461/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freakaleak.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521462/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c4.no-ip.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521463/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chemi.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521464/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a101544.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521465/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dofushunter.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521466/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zekooo.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521467/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sledmoresrat2011.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521416/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fukyou.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521417/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loxlox.hopto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521418/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sametreis.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1301.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521420/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cygate11.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"n4v2.ipv4.pl"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"benehack.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twentysix.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mario90.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521425/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arhowardhome.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521426/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chaky.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521427/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stealer-victim.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521428/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daniel159.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521429/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mp3.dyndns-free.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521430/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aleacc2929.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521431/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"almora.game-host.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521432/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"faresvip.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521433/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"base32234.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521434/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"snoops.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521435/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"protestantes.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521436/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"topsecret7.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521437/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"simox.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521438/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vvxx.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521439/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kitkit.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521440/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mondiali2012.hopto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jonta.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcuwolf.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mario713.servegame.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"troyano.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soyindetectable.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s-net.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tototeamo.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spaceship.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521402/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mechack1.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521403/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tzgdanny.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521404/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"niyax.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521405/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyphelit.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521406/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pakboby.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521407/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d4w.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521408/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"my1.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5254.dyndns.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"comeonjohn.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521411/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"https.servebeer.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521412/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"je3t.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7625.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521414/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vadhantvad.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521415/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mempbifi1.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521367/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsofts.myvnc.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521368/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onlyneedmyknife.zapto.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521369/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyphelit.zaptop.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521370/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4perfectcircle.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ristoo.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521372/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kp96.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521373/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doctorproz.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521374/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"runescape2005.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521375/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flameon.servegame.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521376/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lolzorsimacow.zapto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521377/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icheetosbutter.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521378/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web271w.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521379/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"instigateron.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"davidserverrat.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bul.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521382/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anonymous.kicks-ass.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521383/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure1337.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521384/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yougotpwned.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521385/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"duc5690.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521386/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paagerio.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521387/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"disco4.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521388/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"petrospaok.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521389/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elvinchaos.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wtr.no-ip.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"server-private.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"camfrogupdate.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"masoom.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521341/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nuka.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521342/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyphelit.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521343/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vzrealize.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521344/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jurizaran0ff.kicks-ass.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521345/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amaan.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521346/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"victimefr.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521347/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"snoahhs.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521348/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"downloader999.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521349/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spynetbot.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521350/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"piloto.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521351/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuhbloom.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521352/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xc.no-ip.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521353/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mbukana.sytes.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521354/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r00tb0x.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521355/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arsys123.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521356/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sefaziker.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521357/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vasherpwnz.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521358/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updates.dyndns.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521359/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deansserver.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521360/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mojesve.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521361/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1337leeders.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521362/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyphelit.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521363/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amfa.dyndns.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521364/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpsdaniel00.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521365/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chememo1.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521366/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theshark10.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521316/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xodleh1979.gicp.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521317/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"warlock1337.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521318/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mymusiconline.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521319/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghost3000.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521320/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lamercihat.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521321/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ohblain.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521322/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"codex2.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521323/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hob4.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521324/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hanswurst123456.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521325/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ayoubayoub.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521326/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theunruled.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521327/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkbyte.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521328/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nickyalmeida.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521329/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ihostforrsgp.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521330/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rahulsharma.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521331/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mys-terious.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521332/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"histeria747.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521333/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"corpie.bounceme.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521334/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kushten.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521335/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antidot1.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521336/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zenon.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521337/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"javiercuyas.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521338/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxroyalxx.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521339/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"giganous.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521340/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521340; rev:1;) alert tcp $HOME_NET any -> [188.228.66.228] 82 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521303; rev:1;) alert tcp $HOME_NET any -> [5.38.116.187] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521304; rev:1;) alert tcp $HOME_NET any -> [84.122.168.183] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521305/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521305; rev:1;) alert tcp $HOME_NET any -> [94.224.183.79] 1050 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521306/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521306; rev:1;) alert tcp $HOME_NET any -> [92.104.46.126] 45051 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521307/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521307; rev:1;) alert tcp $HOME_NET any -> [62.34.140.91] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521308/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521308; rev:1;) alert tcp $HOME_NET any -> [188.228.66.228] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521309/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521309; rev:1;) alert tcp $HOME_NET any -> [88.210.225.235] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521310/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521310; rev:1;) alert tcp $HOME_NET any -> [5.38.116.187] 82 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521311/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521311; rev:1;) alert tcp $HOME_NET any -> [62.212.72.166] 5599 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521312/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521312; rev:1;) alert tcp $HOME_NET any -> [88.228.235.55] 1863 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521313/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521313; rev:1;) alert tcp $HOME_NET any -> [109.110.97.113] 22 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521314/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521314; rev:1;) alert tcp $HOME_NET any -> [46.50.163.71] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521315/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"massaprilbackup.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oct-departments.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521301/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"massapril2025.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521302; rev:1;) alert tcp $HOME_NET any -> [46.250.74.88] 5353 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521296; rev:1;) alert tcp $HOME_NET any -> [103.253.73.180] 9080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521297/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521297; rev:1;) alert tcp $HOME_NET any -> [94.26.90.81] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521298/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saw-bm.gl.at.ply.gg"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wwwtas.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mhzlhhhhhh4444-53583.portmap.io"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521294; rev:1;) alert tcp $HOME_NET any -> [46.250.75.254] 5353 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1521295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azontop.linkpc.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521281/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3058.cloudvonline.contact"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521282/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"15800442.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521283/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apple-useful.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521284/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"are-learners.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521285/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stock-correction.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521286/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pxzycheat-61468.portmap.io"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521287/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"house-allowed.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521288/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"channel-hitting.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521289/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"looking-mortgage.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521290/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"semlegit.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521291/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"itachituff.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1521292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsia"; depth:5; nocase; http.host; content:"vovecturar.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521280/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmgj"; depth:5; nocase; http.host; content:"6aeneasq.live"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521279/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"w8tortoisgfe.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521274/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sbdsa"; depth:6; nocase; http.host; content:"hhtardwarehu.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521275/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"9snakejh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/werrp"; depth:6; nocase; http.host; content:"35civitasu.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521277/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keaj"; depth:5; nocase; http.host; content:"dopusculy.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521278/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"osnakejh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521268/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqba"; depth:5; nocase; http.host; content:"lhomewappzb.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521269/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqba"; depth:5; nocase; http.host; content:"ghomewappzb.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521270/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsna"; depth:5; nocase; http.host; content:"4searchilyo.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521271/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trki"; depth:5; nocase; http.host; content:"taretories.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521272/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vepr"; depth:5; nocase; http.host; content:"apraetori.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521273/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kljz"; depth:5; nocase; http.host; content:"2clatteqrpq.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vepr"; depth:5; nocase; http.host; content:"c7praetori.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521264/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bafy"; depth:5; nocase; http.host; content:"p7datawavej.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521265/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowp"; depth:5; nocase; http.host; content:"ebrandihx.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521266/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lxaz"; depth:5; nocase; http.host; content:"4orjinalecza.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521267/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqba"; depth:5; nocase; http.host; content:"hhomewappzb.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521256/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lxaz"; depth:5; nocase; http.host; content:"qborjinalecza.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521257/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mnvzx"; depth:6; nocase; http.host; content:"ozmedtipp.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521258/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amtw"; depth:5; nocase; http.host; content:"klinepdwk.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521259/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqwh"; depth:5; nocase; http.host; content:"vobeliske.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521260/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowp"; depth:5; nocase; http.host; content:"ubrandihx.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521261/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qhbu"; depth:5; nocase; http.host; content:"7grizzlqzuk.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521262/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"tsnakejh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521254/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktnt"; depth:5; nocase; http.host; content:"ubuzzarddf.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521255/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juhd"; depth:5; nocase; http.host; content:"kaovercovtcg.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521253/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jub"; depth:4; nocase; http.host; content:"0orijinalecza.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521248/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wrqo"; depth:5; nocase; http.host; content:"pariosefqcu.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521249/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qop"; depth:4; nocase; http.host; content:"eeczakozmetik.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521250/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoxo"; depth:5; nocase; http.host; content:"6hclarmodq.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521251/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"ysnakejh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521252/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juab"; depth:5; nocase; http.host; content:"2winterpwthc.digital"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521241/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xane"; depth:5; nocase; http.host; content:"mexitiumt.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521242/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pdal"; depth:5; nocase; http.host; content:"7featurlyin.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521243/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juhd"; depth:5; nocase; http.host; content:"7overcovtcg.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521244/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bgry"; depth:5; nocase; http.host; content:"eoblackswmxc.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521245/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqba"; depth:5; nocase; http.host; content:"iwhomewappzb.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521246/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqba"; depth:5; nocase; http.host; content:"2homewappzb.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521247/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bnaz"; depth:5; nocase; http.host; content:"ivoznessxyy.life"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521236/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juj"; depth:4; nocase; http.host; content:"ymedicalbitkisel.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521237/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mnvzx"; depth:6; nocase; http.host; content:"kzmedtipp.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521238/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuwxx"; depth:6; nocase; http.host; content:"7tropiscbs.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521239/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lanz"; depth:5; nocase; http.host; content:"4flowerexju.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521240/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juhd"; depth:5; nocase; http.host; content:"rovercovtcg.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521230/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktnt"; depth:5; nocase; http.host; content:"fbuzzarddf.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521231/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsia"; depth:5; nocase; http.host; content:"rvecturar.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521232/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/woap"; depth:5; nocase; http.host; content:"ndescenrugb.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kazd"; depth:5; nocase; http.host; content:"j0orijinalecza.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521234/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pdal"; depth:5; nocase; http.host; content:"dfeaturlyin.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521235/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsia"; depth:5; nocase; http.host; content:"avecturar.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521225/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juj"; depth:4; nocase; http.host; content:"tmedicalbitkisel.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521226/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/woap"; depth:5; nocase; http.host; content:"9descenrugb.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521227/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mnvzx"; depth:6; nocase; http.host; content:"7zmedtipp.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521228/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qop"; depth:4; nocase; http.host; content:"1eczakozmetik.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521229/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"5phygcsforum.life"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521218/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juhd"; depth:5; nocase; http.host; content:"sovercovtcg.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521219/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mnvzx"; depth:6; nocase; http.host; content:"t8zmedtipp.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521220/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsia"; depth:5; nocase; http.host; content:"xpvecturar.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521221/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qhbu"; depth:5; nocase; http.host; content:"jgrizzlqzuk.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521222/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gaz"; depth:4; nocase; http.host; content:"sumeriavgv.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521223/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"0geographys.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521224/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mnvzx"; depth:6; nocase; http.host; content:"4czmedtipp.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521211/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vepr"; depth:5; nocase; http.host; content:"zpraetori.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521212/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsia"; depth:5; nocase; http.host; content:"fvecturar.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521213/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsh"; depth:4; nocase; http.host; content:"herosdecos.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521214/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"4tortoisgfe.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521215/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xane"; depth:5; nocase; http.host; content:"pexitiumt.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521216/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lxaz"; depth:5; nocase; http.host; content:"3vorjinalecza.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521217/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vepr"; depth:5; nocase; http.host; content:"8praetori.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521205/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"btortoisgfe.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521206/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/laopx"; depth:6; nocase; http.host; content:"9viriatoe.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521207/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsna"; depth:5; nocase; http.host; content:"7xlsearchilyo.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521208/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riid"; depth:5; nocase; http.host; content:"htechsyncq.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521209/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lznd"; depth:5; nocase; http.host; content:"tninepicchf.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521210/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pozz"; depth:5; nocase; http.host; content:"vtechmindj.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521199/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"donnypollo.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521200/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lxaz"; depth:5; nocase; http.host; content:"uorjinalecza.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521201/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/woap"; depth:5; nocase; http.host; content:"2descenrugb.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521202/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keaj"; depth:5; nocase; http.host; content:"mopusculy.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521203/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"igitalmakertinggb.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521204/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vpep"; depth:5; nocase; http.host; content:"5scriptao.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521194/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xane"; depth:5; nocase; http.host; content:"iexitiumt.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521195/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwio"; depth:5; nocase; http.host; content:"rstuffgull.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521196/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lznd"; depth:5; nocase; http.host; content:"ininepicchf.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521197/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gaodx"; depth:6; nocase; http.host; content:"hwordswfrdl.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521198/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qop"; depth:4; nocase; http.host; content:"8eczakozmetik.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lznd"; depth:5; nocase; http.host; content:"mninepicchf.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521191/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"wsnakejh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521192/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bnaz"; depth:5; nocase; http.host; content:"fvoznessxyy.life"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521193/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ieop"; depth:5; nocase; http.host; content:"einsidegrah.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521185/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmgj"; depth:5; nocase; http.host; content:"waeneasq.live"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/werrp"; depth:6; nocase; http.host; content:"letcivitasu.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521187/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juj"; depth:4; nocase; http.host; content:"2medicalbitkisel.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521188/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baj"; depth:4; nocase; http.host; content:"flushelett.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521189/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"rtortoisgfe.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521179/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juhd"; depth:5; nocase; http.host; content:"0overcovtcg.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521180/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmgj"; depth:5; nocase; http.host; content:"2haeneasq.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521181/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"fzstarofliught.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521182/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"zzenithcorde.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521183/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gaz"; depth:4; nocase; http.host; content:"fsumeriavgv.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521184/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekp"; depth:5; nocase; http.host; content:"gmeteorplyp.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521173/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ioud"; depth:5; nocase; http.host; content:"logihubo.live"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521174/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwio"; depth:5; nocase; http.host; content:"1stuffgull.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521175/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kewk"; depth:5; nocase; http.host; content:"0uparakehjet.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521176/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vepr"; depth:5; nocase; http.host; content:"cpraetori.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521177/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"xzenithcorde.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521178/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juj"; depth:4; nocase; http.host; content:"3medicalbitkisel.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/benj"; depth:5; nocase; http.host; content:"lbearjk.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"hsnakejh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"knighetwhisper.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521171/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwio"; depth:5; nocase; http.host; content:"dstuffgull.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521172/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mnvzx"; depth:6; nocase; http.host; content:"szmedtipp.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"nbiosphxere.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tuqz"; depth:5; nocase; http.host; content:"atomicsmet.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keaj"; depth:5; nocase; http.host; content:"fopusculy.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"jtortoisgfe.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"yscikevision.today"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atok"; depth:5; nocase; http.host; content:"4tremelzxiy.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baneb"; depth:6; nocase; http.host; content:"bjaraucahkbm.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/laopx"; depth:6; nocase; http.host; content:"lviriatoe.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"dtortoisgfe.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rskp"; depth:5; nocase; http.host; content:"reflecwemy.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; nocase; http.host; content:"5eczamedikal.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqba"; depth:5; nocase; http.host; content:"zhomewappzb.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xane"; depth:5; nocase; http.host; content:"texitiumt.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsia"; depth:5; nocase; http.host; content:"csvecturar.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/woap"; depth:5; nocase; http.host; content:"udescenrugb.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; nocase; http.host; content:"ueczamedikal.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; nocase; http.host; content:"gieczamedikal.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ieop"; depth:5; nocase; http.host; content:"qvinsidegrah.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; nocase; http.host; content:"deczamedikal.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"csnakejh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lznd"; depth:5; nocase; http.host; content:"eninepicchf.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowp"; depth:5; nocase; http.host; content:"fbrandihx.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqiuz"; depth:6; nocase; http.host; content:"nonsliebhz.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oturu"; depth:6; nocase; http.host; content:"x2nodepathr.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"x8snakejh.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"k7tortoisgfe.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banj"; depth:5; nocase; http.host; content:"gblackljjwc.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bgry"; depth:5; nocase; http.host; content:"jblackswmxc.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gaub"; depth:5; nocase; http.host; content:"eveningeatke.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jub"; depth:4; nocase; http.host; content:"morijinalecza.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riow"; depth:5; nocase; http.host; content:"firstezkpg.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vpep"; depth:5; nocase; http.host; content:"qscriptao.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"kzenithcorde.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qhbu"; depth:5; nocase; http.host; content:"y-grizzlqzuk.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ieop"; depth:5; nocase; http.host; content:"ginsidegrah.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogapds"; depth:7; nocase; http.host; content:"sflamingof.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juj"; depth:4; nocase; http.host; content:"dmedicalbitkisel.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kljz"; depth:5; nocase; http.host; content:"5clatteqrpq.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwio"; depth:5; nocase; http.host; content:"6stuffgull.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/plsoz"; depth:6; nocase; http.host; content:"vsterpickced.digital"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wizu"; depth:5; nocase; http.host; content:"xlongitudde.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anbu"; depth:5; nocase; http.host; content:"doorwanzeh.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lxaz"; depth:5; nocase; http.host; content:"norjinalecza.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qhbu"; depth:5; nocase; http.host; content:"bgrizzlqzuk.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kazd"; depth:5; nocase; http.host; content:"8orijinalecza.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keaj"; depth:5; nocase; http.host; content:"gzopusculy.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juj"; depth:4; nocase; http.host; content:"imedicalbitkisel.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bnaz"; depth:5; nocase; http.host; content:"yvoznessxyy.life"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbak"; depth:5; nocase; http.host; content:"0btcgeared.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekp"; depth:5; nocase; http.host; content:"8meteorplyp.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lznd"; depth:5; nocase; http.host; content:"ccsninepicchf.bet"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"htortoisgfe.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktnt"; depth:5; nocase; http.host; content:"5buzzarddf.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521117/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwio"; depth:5; nocase; http.host; content:"4stuffgull.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tio"; depth:4; nocase; http.host; content:"famprid.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uiads"; depth:6; nocase; http.host; content:"3pomelohgj.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lxaz"; depth:5; nocase; http.host; content:"yorjinalecza.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mben"; depth:5; nocase; http.host; content:"8octalfbsh.bet"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqba"; depth:5; nocase; http.host; content:"phomewappzb.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"ntortoisgfe.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mnvzx"; depth:6; nocase; http.host; content:"gozmedtipp.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jub"; depth:4; nocase; http.host; content:"8orijinalecza.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"9tortoisgfe.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/goj"; depth:4; nocase; http.host; content:"lancery.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keaj"; depth:5; nocase; http.host; content:"wopusculy.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lxaz"; depth:5; nocase; http.host; content:"aforjinalecza.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qop"; depth:4; nocase; http.host; content:"y4eczakozmetik.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jub"; depth:4; nocase; http.host; content:"zorijinalecza.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"079biosphxere.digital"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"asnakejh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aoiz"; depth:5; nocase; http.host; content:"wdarjkafsg.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eqwu"; depth:5; nocase; http.host; content:"ldisciplipna.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/werrp"; depth:6; nocase; http.host; content:"bcivitasu.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oias"; depth:5; nocase; http.host; content:"maiantfuuk.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsia"; depth:5; nocase; http.host; content:"fdvecturar.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riid"; depth:5; nocase; http.host; content:"5techsyncq.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lznd"; depth:5; nocase; http.host; content:"2ninepicchf.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kewk"; depth:5; nocase; http.host; content:"bparakehjet.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ieop"; depth:5; nocase; http.host; content:"iyinsidegrah.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juj"; depth:4; nocase; http.host; content:"pmedicalbitkisel.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowp"; depth:5; nocase; http.host; content:"obrandihx.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"ttortoisgfe.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keaj"; depth:5; nocase; http.host; content:"qopusculy.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qop"; depth:4; nocase; http.host; content:"beczakozmetik.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jub"; depth:4; nocase; http.host; content:"torijinalecza.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banj"; depth:5; nocase; http.host; content:"zblackljjwc.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banj"; depth:5; nocase; http.host; content:"sblackljjwc.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xane"; depth:5; nocase; http.host; content:"8exitiumt.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kljz"; depth:5; nocase; http.host; content:"uclatteqrpq.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lanz"; depth:5; nocase; http.host; content:"7flowerexju.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmgj"; depth:5; nocase; http.host; content:"faeneasq.live"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521081/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kazd"; depth:5; nocase; http.host; content:"d1iorijinalecza.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521070/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qhbu"; depth:5; nocase; http.host; content:"dgrizzlqzuk.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521071/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mnvzx"; depth:6; nocase; http.host; content:"yq7zmedtipp.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mnvzx"; depth:6; nocase; http.host; content:"qzmedtipp.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qhbu"; depth:5; nocase; http.host; content:"hgrizzlqzuk.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jub"; depth:4; nocase; http.host; content:"iorijinalecza.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xane"; depth:5; nocase; http.host; content:"raexitiumt.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juhd"; depth:5; nocase; http.host; content:"movercovtcg.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"ptortoisgfe.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521064/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juhd"; depth:5; nocase; http.host; content:"6overcovtcg.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521065/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/werrp"; depth:6; nocase; http.host; content:"qucivitasu.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521066/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keaj"; depth:5; nocase; http.host; content:"popusculy.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qop"; depth:4; nocase; http.host; content:"weczakozmetik.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bnaz"; depth:5; nocase; http.host; content:"0voznessxyy.life"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521059/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktnt"; depth:5; nocase; http.host; content:"ebuzzarddf.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521060/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jub"; depth:4; nocase; http.host; content:"yorijinalecza.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jub"; depth:4; nocase; http.host; content:"porijinalecza.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juab"; depth:5; nocase; http.host; content:"ginterpwthc.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521063/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qop"; depth:4; nocase; http.host; content:"leczakozmetik.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521053/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwio"; depth:5; nocase; http.host; content:"9stuffgull.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"ngsnakejh.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keaj"; depth:5; nocase; http.host; content:"vwopusculy.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521056/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bnaz"; depth:5; nocase; http.host; content:"gvoznessxyy.life"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kljz"; depth:5; nocase; http.host; content:"0mclatteqrpq.digital"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521046/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekp"; depth:5; nocase; http.host; content:"rmeteorplyp.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521047/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"qsnakejh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521048/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktnt"; depth:5; nocase; http.host; content:"1buzzarddf.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lazd"; depth:5; nocase; http.host; content:"madagaeyrk.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521050/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngshi"; depth:6; nocase; http.host; content:"campylloir.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pdal"; depth:5; nocase; http.host; content:"1featurlyin.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521052/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qop"; depth:4; nocase; http.host; content:"rleczakozmetik.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521041/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xaf"; depth:4; nocase; http.host; content:"taigjmr.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521042/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ieop"; depth:5; nocase; http.host; content:"oinsidegrah.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521043/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bjhnsj"; depth:7; nocase; http.host; content:"tmodelshiverd.icu"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521044/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bnaz"; depth:5; nocase; http.host; content:"cvoznessxyy.life"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521045/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bnaz"; depth:5; nocase; http.host; content:"zivoznessxyy.life"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521037/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kljz"; depth:5; nocase; http.host; content:"9clatteqrpq.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521038/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ieop"; depth:5; nocase; http.host; content:"htinsidegrah.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521039/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jub"; depth:4; nocase; http.host; content:"norijinalecza.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521040/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iogaa"; depth:6; nocase; http.host; content:"quantdatai.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qop"; depth:4; nocase; http.host; content:"neczakozmetik.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lxaz"; depth:5; nocase; http.host; content:"morjinalecza.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521033/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowp"; depth:5; nocase; http.host; content:"vbrandihx.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521034/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"tclimatologfy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521035/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tttechmindzs.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521036/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kljz"; depth:5; nocase; http.host; content:"zclatteqrpq.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521025/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xznv"; depth:5; nocase; http.host; content:"porifefyzc.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521026/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; nocase; http.host; content:"u5eczamedikal.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521027/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bafy"; depth:5; nocase; http.host; content:"udatawavej.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521028/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banj"; depth:5; nocase; http.host; content:"jtblackljjwc.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geps"; depth:5; nocase; http.host; content:"pbchangeaie.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"ngeographys.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ieop"; depth:5; nocase; http.host; content:"6cinsidegrah.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omiga"; depth:6; nocase; http.host; content:"starfiswh.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qop"; depth:4; nocase; http.host; content:"1feczakozmetik.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xane"; depth:5; nocase; http.host; content:"nexitiumt.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; nocase; http.host; content:"yfeczamedikal.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521024/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xane"; depth:5; nocase; http.host; content:"7bexitiumt.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521015/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qop"; depth:4; nocase; http.host; content:"veczakozmetik.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danjhw"; depth:7; nocase; http.host; content:"tcrosshairc.life"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eqwu"; depth:5; nocase; http.host; content:"hdisciplipna.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gaus"; depth:5; nocase; http.host; content:"agformydab.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ixau"; depth:5; nocase; http.host; content:"8cartograhphy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"hgraduatteusez.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"1chemistrycworner.today"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keaj"; depth:5; nocase; http.host; content:"xopusculy.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsia"; depth:5; nocase; http.host; content:"0zvecturar.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anbb"; depth:5; nocase; http.host; content:"yvdigitroopc.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521014/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kljz"; depth:5; nocase; http.host; content:"hjclatteqrpq.digital"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apdo"; depth:5; nocase; http.host; content:"stechguidet.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521003/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqba"; depth:5; nocase; http.host; content:"jhomewappzb.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521004/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keaj"; depth:5; nocase; http.host; content:"6opusculy.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riid"; depth:5; nocase; http.host; content:"8wtechsyncq.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/woap"; depth:5; nocase; http.host; content:"xdescenrugb.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521000/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/woap"; depth:5; nocase; http.host; content:"fdescenrugb.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521001/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqba"; depth:5; nocase; http.host; content:"ehomewappzb.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1521002/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91521002; rev:1;) alert tcp $HOME_NET any -> [209.97.162.113] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520999/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.q74vn.live"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520998/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520998; rev:1;) alert tcp $HOME_NET any -> [70.27.138.41] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520997/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520997; rev:1;) alert tcp $HOME_NET any -> [213.87.44.192] 444 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520996/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520996; rev:1;) alert tcp $HOME_NET any -> [196.251.92.58] 61033 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520995/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/requestpollupdateprocessprocessorbigloaddle.php"; depth:48; nocase; http.host; content:"leavesultr.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520994/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520994; rev:1;) alert tcp $HOME_NET any -> [109.248.150.178] 1604 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520993/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"missiondomain.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520992/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekp"; depth:5; nocase; http.host; content:"mmeteorplyp.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520991/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lanz"; depth:5; nocase; http.host; content:"5flowerexju.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520990/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/akds"; depth:5; nocase; http.host; content:"yposseswsnc.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520989/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baneb"; depth:6; nocase; http.host; content:"xaraucahkbm.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520988/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bnaz"; depth:5; nocase; http.host; content:"uvoznessxyy.life"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520986/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zavc"; depth:5; nocase; http.host; content:"veasterxeen.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520987/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lanz"; depth:5; nocase; http.host; content:"t9flowerexju.bet"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520985/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekp"; depth:5; nocase; http.host; content:"pmeteorplyp.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520984/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zavc"; depth:5; nocase; http.host; content:"peasterxeen.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520983/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mnvzx"; depth:6; nocase; http.host; content:"fzmedtipp.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520982/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bgry"; depth:5; nocase; http.host; content:"bblackswmxc.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520981/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekp"; depth:5; nocase; http.host; content:"3ameteorplyp.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520979/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baneb"; depth:6; nocase; http.host; content:"6araucahkbm.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520980/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekp"; depth:5; nocase; http.host; content:"0meteorplyp.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520978/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520978; rev:1;) alert tcp $HOME_NET any -> [195.201.108.189] 33336 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520977/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"setup.apple.posteid-a365.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520975/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"account.login.posteid-a365.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520976/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520976; rev:1;) alert tcp $HOME_NET any -> [176.123.4.184] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520974/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520974; rev:1;) alert tcp $HOME_NET any -> [45.144.212.170] 5938 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520973/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520973; rev:1;) alert tcp $HOME_NET any -> [154.58.204.42] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520972/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520972; rev:1;) alert tcp $HOME_NET any -> [195.82.147.132] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520970/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520970; rev:1;) alert tcp $HOME_NET any -> [195.82.147.132] 15747 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520971/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520971; rev:1;) alert tcp $HOME_NET any -> [144.172.104.135] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520967/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520967; rev:1;) alert tcp $HOME_NET any -> [206.238.115.155] 8443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520968/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520968; rev:1;) alert tcp $HOME_NET any -> [88.229.2.85] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520969/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520969; rev:1;) alert tcp $HOME_NET any -> [20.3.142.245] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520965/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520965; rev:1;) alert tcp $HOME_NET any -> [91.222.173.167] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520966/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520966; rev:1;) alert tcp $HOME_NET any -> [94.130.34.243] 4042 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520964/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520964; rev:1;) alert tcp $HOME_NET any -> [106.14.53.177] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520963/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520963; rev:1;) alert tcp $HOME_NET any -> [209.54.102.170] 5070 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520962/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"downtownisland.icu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520961/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"collarvase.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520959/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"detailcrowd.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520960/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lui.php"; depth:8; nocase; http.host; content:"boneyarn.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520957/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"summervegetable.icu"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520958/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520958; rev:1;) alert tcp $HOME_NET any -> [44.223.25.179] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520752/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520752; rev:1;) alert tcp $HOME_NET any -> [152.136.165.180] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520753/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/snn"; depth:4; nocase; http.host; content:"macjajm.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520956/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zavc"; depth:5; nocase; http.host; content:"g2easterxeen.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520955/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mnvzx"; depth:6; nocase; http.host; content:"czmedtipp.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520954/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yh4x0620pw1ap.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520946/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ypki3cocq1asj.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520947/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yqijzlle1r3rl.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520948/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yv8yhgwsm81x7.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520949/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zf8sn8l1c1c16.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520950/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zit5if516dao2.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520951/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zpvptw82h5c00.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520952/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zx1qk0w02fke7.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520953/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whzw13p3r7lzp.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520932/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wl2n961unpaix.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wz3qdxhxns2g4.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520934/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x357y9ss65tdu.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x3an9oqhcf2mf.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x70eca9dqaj6k.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xhuahzm5uiimo.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520938/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xjfbfo2a6koef.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xnxutbo5etuw9.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520940/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xtbt0ekpcxnak.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520941/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxx4tb82ly3p2.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520942/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"y2iv17lkdmj55.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520943/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"y37vxmir7miwq.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520944/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"y5i7fcp0z2vdv.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520945/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uh61rmo8drq8c.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uimcnlvkowuot.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uld7tnpvgr1ir.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unluozjsodi8i.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uod2mz4es33ka.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v0kgi0osnu7pw.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v0p0woy3f8ze7.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520923/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v66tip8ogttrf.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncik1psdrrbl.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vns5srpw5p315.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vqzguhj0laj7p.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vrnf4tj48nxod.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vs3b5qgn6ksql.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vujdfffgcjd7k.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w79vt2diz7dml.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520931/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s8akau9vlsrbq.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520903/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scu2pm45pz9q2.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520904/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sfrq624fuus5k.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520905/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"si8p7wuxa7ddt.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520906/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sijq1m7wknt6g.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520907/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t9toueu4d6gzm.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520908/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tcvttq08r9jty.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520909/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tfd48hex6n5ye.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520910/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tldemeczwtpb7.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520911/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tmuu1ryu4fvbm.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520912/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"u2eqkj41hheze.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520913/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"u7d1qd724touv.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520914/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaooxwnck1qwk.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520915/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ug2a0sj16kerd.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"q8r7omleri0pd.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520889/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qcvgu67ml13r1.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520890/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qo5lmcyhdzxlf.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520891/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quqd8ic552xs4.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520892/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qv4njcerh3hsj.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520893/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qy6ctflx8ydfe.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520894/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r0lethdy5ytqp.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520895/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r9mkypblrf7ai.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520896/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rjgkw1xkq6tgo.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520897/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rn07j0x1acnyz.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520898/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rrfz818tk7l3b.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520899/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rxaswnnmmce9g.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520900/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rzxkvxyj2i9qj.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520901/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s6tbv8w63f840.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520902/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nins8k5g0f1dx.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520872/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nramyw3ac65tz.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520873/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nucp69y9nhvm2.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520874/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nz9sjxx21tp5x.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520875/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nzsgq8404xxkm.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520876/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oefia9wp8je6z.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520877/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogb5xkgmg4oju.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520878/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogbh7anjjdjdd.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520879/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"os5ryl12zmx42.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520880/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oulq1xmd91yva.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520881/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p8ya80enl7muq.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520882/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phofkkfcuixei.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520883/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phwix4m5d2xcl.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520884/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"piur2ev55twj7.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520885/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pl43cimufnrmu.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520886/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pnqu4zi9mlahx.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520887/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pz9k9kaihtptd.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520888/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jqyeegna3lht2.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520858/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"k7b843izg720e.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520859/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"k8tdxptwoarz9.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520860/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kb7o9tevgv0nj.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520861/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"knmekk4xh1yfu.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520862/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kt1zpdc26avtr.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520863/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lsoj8le5dvbzq.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520864/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mt07ykdxl55cw.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520865/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"n5d6y67plvnto.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520866/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"n7fyq5glyab2j.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520867/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nbfg014yic1qb.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520868/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nbs6lnzvk9nkg.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520869/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nd6h2ldqkvdw6.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520870/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nia2qq0etuzpb.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520871/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gvygkcpol74gy.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520844/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h28r6gebma715.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520845/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hb0nsim3indj8.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520846/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hij11nti41rxp.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520847/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hlqz0e62ixrnp.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520848/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ho0e0fu2f1ehu.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520849/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hrjcfbz49zbdn.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520850/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"htc8v674o5340.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520851/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hvrcruhojtv59.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520852/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"i9lnrwpyl6q1s.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520853/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igdibsm1sy5ef.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520854/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ikp95oty597zb.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520855/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"il3ha3mtfvku8.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520856/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iptckm8axh4up.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520857/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gap5w2em9msor.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520841/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gennj5glepbm3.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520842/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghyouopkphf2x.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520843/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dyrsovg0janxg.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520829/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"e12sw2209cc53.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520830/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"e21hhjf8659tt.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520831/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"e3h08otb6xmu3.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520832/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eapnxzvi8p2dy.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520833/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec8puhgxe2irq.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520834/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"f24yew7yxdas9.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520835/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"f5bdp5r97x63z.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520836/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"f5l5coo21t986.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520837/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fa03e75bicux5.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520838/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fk522cqcb411i.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520839/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fl2ifygitryuh.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520840/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9k7m4sno3n6zf.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520813/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9psg7n6nx8jpb.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520814/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ai66uq00ax202.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520815/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atpk4sqovxf2y.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520816/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awfdktgdajxzt.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520817/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bnbm2ncu9edm7.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520818/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bsobgla5ebrjj.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520819/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cj92kmlm09rx6.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520820/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cmpf8huatefqk.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520821/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cn20xuahy8t1g.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520822/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csyn20vl3z4q0.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520823/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwdnohn9obt5r.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520824/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darveicg7xcj0.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520825/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dn50y7ahnc1bj.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520826/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dt2cg075ch11u.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520827/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dt2hlgmn1nzpl.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520828/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7m959mli25a72.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520801/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7qdvi1ojq79ap.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520802/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7vcfugjejghtu.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520803/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"822xkcv8p7yj5.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520804/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"830pmmvl3x3qb.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520805/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"86dcshj21wg6m.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520806/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8a3peanh4uz8e.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520807/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8k9dg54uoiaig.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520808/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"902zrmiyj0203.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520809/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"93k4iwdrz9dv0.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520810/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"94sd02j2s8w5g.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520811/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9ir8es90oecw2.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520812/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5gimy9lgi9xbl.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520784/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5izwfepuwh2ic.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520785/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5oqmgkgz5rf70.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520786/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5p981xjz7sbyt.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520787/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5sq4py78k91rm.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520788/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5vhkbv1vxxsnm.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520789/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6bs426zjqpbth.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520790/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6dbu605hajf1q.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520791/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6ep9wbu6v24n0.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520792/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6km9ottqfh6zn.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520793/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6q4rlo4sr8s85.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520794/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6vzdx310bfwa5.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520795/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"74of7b9bmuags.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520796/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7d0qhl3jn2xp2.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520797/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7d2zsoxb59ie1.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520798/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7dxudveyrs1qv.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520799/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7e3xn5owh54h1.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520800/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2odsenx2yp0lo.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520768/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2yj7j6r9vo33o.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520769/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"35vy1pligjgul.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520770/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"397nrivd76yo3.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520771/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3jxjww65p5maz.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520772/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3mar7y5c3r4zx.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520773/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3obruwxmqzonj.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520774/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3w2o83k0n8265.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520775/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3y9cnn3ltwru4.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520776/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"456iqa3y1dx4m.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520777/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4sntr015i7xom.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520778/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4ui23j0z9jjrn.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520779/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4v0qmowukun68.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520780/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"54x58q8lib4hu.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520781/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"55ueww9semkcm.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520782/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"59vajiveghhtk.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520783/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"05by1jl7fjlpm.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520754/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"06g15h6u4co8d.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520755/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"08cke7akux8kw.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520756/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0a2oobiviohq1.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520757/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0vmyb63gn2ptp.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520758/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0vwdh086y6617.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520759/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16pul9mybq7xz.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520760/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1j89dadarol4g.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520761/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1tznpvtx5dfm8.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520762/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"20ztrlynhqrkl.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520763/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"296e90bwwbghd.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520764/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2970uw58lq0x7.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520765/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2ekg1e4hsed7c.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520766/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2nviz2u0243nr.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520767/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daxbkb16ebdao.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520740/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m4ivqiz0weqy7.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520741/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0ei4jxf0cszgd.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520742/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"54zgxvq8jzq81.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520743/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tesc2obtfbdke.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520744/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w1nd36e506qqi.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520745/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fc4v5wx4p4syq.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520746/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"43wubiwvmajs3.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520747/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4w1b7rsnyg3sm.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520748/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h8gw0cbhkkrrf.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520749/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"k2yu4bhadklet.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520750/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wqfvb1lom02cg.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520751/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xfi23ljskvgtg.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520724/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ofvs2a3nhyrqi.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520725/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7o3zfbd5rf5mz.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520726/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flewo6le618h7.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520727/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r7rw9inm558jg.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520728/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7qjjcy6vg835x.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520729/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8sz83ieffpzwj.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520730/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0eftob9vxa877.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520731/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0j62jm3djgxe7.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520732/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2vijxyqbqsbl.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520733/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vuu79f2ne8xl1.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520734/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ew3crbjgfbbhd.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520735/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lqhhfpiqp5chx.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520736/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"f3be5ccj5ioc7.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520737/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1ngmbwokqkiov.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520738/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nh0hujf2w5xi9.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520739/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bgiphdk30zk35.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520707/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8n3rj69ohv8rv.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520708/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"29e8eji42sktd.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520709/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bqlbyaavprz19.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520710/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qj2suuu4ixgvf.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520711/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b2ys2fltibnfu.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520712/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z0lg8lijtw3mh.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520713/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p3arx0taom00w.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520714/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gquyy1qf8ncn7.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520715/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ref18bh4aku24.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520716/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epqykfhm5zq6l.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520717/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zw96t31o1h768.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520718/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c45ze0b5hhvdg.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520719/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6kjpjs3v34hbf.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520720/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qhyut7e0tjz2a.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5p9udlfi4yvg6.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520722/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5ew1715l4z3ef.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zom3rkt078g1k.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"n2cy5wx4nfs8n.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qnw1tsg4ogxa0.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"84ntpl4mk4cwm.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520691/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m5f2awao92hp9.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520692/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nq0tsip71ecq5.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520693/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ithg3ysseil61.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520694/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mvp5pt36h20vf.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520695/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"51415jvbttwu4.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520696/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l0ecv85wptocs.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520697/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nuq0isjlua30l.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520698/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wd7jo4d8zlxg0.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520699/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2885patz8ovcf.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520700/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1zwze7b6jqovz.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520701/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s23kd323qzj2l.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520702/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4me127ppi31at.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520703/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eifir9x2xpqsb.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520704/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4hlnzokni29fh.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520705/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykv99faqy3ky4.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520706/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r4a4n001s7uhi.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520671/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r976ptnxbh52l.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520672/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tv9jc206cpnyd.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xf30997j6tp8z.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nl2jkkuqs8efp.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5395dg0j4h79n.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v30ty639krk3p.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oknzqkp6ph302.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520678/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rlq13ng659buz.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520679/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ey9n44bwtmjaw.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trtiqjiry7k05.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9vgvnzk51j1sy.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wi88w99xo9zlt.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hoieva2gl9tzx.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7oo4hxt5haih5.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ey8axyn00x8sf.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kks80hyrpbmuz.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apsgw881ol7rs.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520657/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rmqa3jodwcmgd.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520658/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"85ur7zivhczam.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evzftxl2qjfj4.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520660/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cp2br7osw928r.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520661/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lhunevjdxw5kz.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520662/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jbrprj8im7aia.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rdg0u5n7237r5.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xwn7sukhzhbqv.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520665/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8vh7uizstjhnb.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"u8karkeeu2qtj.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520667/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"j34duklow92k3.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520668/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8sg769rvpe1lp.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"inkja7hekgcuv.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520670/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"19ak90ckxyjxc.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520652/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"o2u1xbm9xoq4p.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9b10t4vyvx6b5.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9nl2a1qma4swd.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520655/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gc9fctjq62t2e.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520656/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520656; rev:1;) alert tcp $HOME_NET any -> [94.26.90.81] 2404 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520651/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520651; rev:1;) alert tcp $HOME_NET any -> [37.120.206.165] 63513 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520650/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520650; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 3940 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520649; rev:1;) alert tcp $HOME_NET any -> [213.139.205.136] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520644/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520644; rev:1;) alert tcp $HOME_NET any -> [84.200.205.246] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520645/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520645; rev:1;) alert tcp $HOME_NET any -> [192.121.17.241] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520646/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520646; rev:1;) alert tcp $HOME_NET any -> [194.61.120.106] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520647/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520647; rev:1;) alert tcp $HOME_NET any -> [89.36.231.38] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520648/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagepythonsecuredownloadstemporary.php"; depth:40; nocase; http.host; content:"cs53692.tmweb.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"196.190.1.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520642/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91520642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"joyjaxforme.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520577/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520577; rev:1;) alert tcp $HOME_NET any -> [54.183.101.23] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520578/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520578; rev:1;) alert tcp $HOME_NET any -> [8.140.28.177] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520579/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520579; rev:1;) alert tcp $HOME_NET any -> [110.40.142.234] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520580/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520580; rev:1;) alert tcp $HOME_NET any -> [45.125.33.150] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520581/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520581; rev:1;) alert tcp $HOME_NET any -> [222.186.38.10] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520582/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webdisk.tempoestil.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520583/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"command.outliertech.dev"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520584/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpcontacts.tempoestil.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520585/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520585; rev:1;) alert tcp $HOME_NET any -> [4.232.128.157] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520586/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520586; rev:1;) alert tcp $HOME_NET any -> [103.112.96.40] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520587/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"banking.banking-postbankde.posteid-a365.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520588/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b.stats.postfinancelogin.posteid-a365.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520589/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t.paypal.posteid-a365.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520590/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"accounts.google.posteid-a365.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520591/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sbbe.loginpaxful.posteid-a365.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520592/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"account.microsoft.live.posteid-a365.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520593/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520593; rev:1;) alert tcp $HOME_NET any -> [168.231.118.20] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520597/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dealerhub.ebanking.posteid-a365.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520594/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520594; rev:1;) alert tcp $HOME_NET any -> [100.20.170.29] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520595/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520595; rev:1;) alert tcp $HOME_NET any -> [212.147.68.188] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520596/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520596; rev:1;) alert tcp $HOME_NET any -> [3.215.71.161] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520598/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520598; rev:1;) alert tcp $HOME_NET any -> [3.109.121.218] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520599/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520599; rev:1;) alert tcp $HOME_NET any -> [3.109.121.218] 8000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520600/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520600; rev:1;) alert tcp $HOME_NET any -> [18.191.26.159] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520601/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520601; rev:1;) alert tcp $HOME_NET any -> [137.220.205.223] 9090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520602/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520602; rev:1;) alert tcp $HOME_NET any -> [149.202.133.94] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520603/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520603; rev:1;) alert tcp $HOME_NET any -> [170.64.242.210] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520606/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520606; rev:1;) alert tcp $HOME_NET any -> [54.80.76.15] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520605/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520605; rev:1;) alert tcp $HOME_NET any -> [178.128.254.173] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520604/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520604; rev:1;) alert tcp $HOME_NET any -> [164.92.147.36] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520607/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520607; rev:1;) alert tcp $HOME_NET any -> [172.174.34.90] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520608/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520608; rev:1;) alert tcp $HOME_NET any -> [157.173.219.82] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520609/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520609; rev:1;) alert tcp $HOME_NET any -> [144.172.73.33] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520613/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/siglost"; depth:8; nocase; http.host; content:"assets-msn.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520301/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"assets-msn.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520302; rev:1;) alert tcp $HOME_NET any -> [47.117.113.230] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520304; rev:1;) alert tcp $HOME_NET any -> [148.66.2.195] 21 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520305/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520305; rev:1;) alert tcp $HOME_NET any -> [139.180.141.50] 8748 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520306/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520306; rev:1;) alert tcp $HOME_NET any -> [1.15.93.52] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520307/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520307; rev:1;) alert tcp $HOME_NET any -> [194.135.16.61] 47231 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520308/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520308; rev:1;) alert tcp $HOME_NET any -> [122.51.30.157] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520309/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520309; rev:1;) alert tcp $HOME_NET any -> [101.33.198.246] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520310/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/siglost"; depth:8; nocase; http.host; content:"recommendation-samoa-weights-guyana.trycloudflare.com"; depth:53; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520345/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520345; rev:1;) alert tcp $HOME_NET any -> [45.195.197.3] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520573; rev:1;) alert tcp $HOME_NET any -> [82.156.132.252] 7000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520574/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520574; rev:1;) alert tcp $HOME_NET any -> [45.76.27.167] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520575/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"recommendation-samoa-weights-guyana.trycloudflare.com"; depth:53; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520346/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/rsks.zip"; depth:20; nocase; http.host; content:"totalsolucao.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520297/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520297; rev:1;) alert tcp $HOME_NET any -> [94.158.245.115] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520298/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsen/ddd.php"; depth:13; nocase; http.host; content:"linhua97.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"linhua97.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsen/select.js"; depth:15; nocase; http.host; content:"linhua97.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsen/core-compiled.js"; depth:22; nocase; http.host; content:"linhua97.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520293; rev:1;) alert tcp $HOME_NET any -> [38.165.21.186] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520263; rev:1;) alert tcp $HOME_NET any -> [103.205.6.134] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520264/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520264; rev:1;) alert tcp $HOME_NET any -> [45.135.194.43] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520290/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cv.jyla.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520291/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520291; rev:1;) alert tcp $HOME_NET any -> [47.120.57.192] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520640/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520640; rev:1;) alert tcp $HOME_NET any -> [43.143.216.185] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520641; rev:1;) alert tcp $HOME_NET any -> [106.75.251.248] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520638; rev:1;) alert tcp $HOME_NET any -> [106.75.251.248] 2095 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520639/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520639; rev:1;) alert tcp $HOME_NET any -> [196.251.71.99] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520637/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520637; rev:1;) alert tcp $HOME_NET any -> [213.209.150.210] 7773 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520630/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hgjbp.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"animatcxju.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520626/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91520626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"enumermbzz.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520627/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91520627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"albizzcdlv.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520628/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91520628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"radiocity.serveminecraft.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520625/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91520625; rev:1;) alert tcp $HOME_NET any -> [213.252.246.65] 2666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520624/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91520624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"49.113.73.193"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520623/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91520623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"112.126.77.39"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520622/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91520622; rev:1;) alert tcp $HOME_NET any -> [27.206.220.180] 55080 (msg:"ThreatFox Mozi botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520621/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91520621; rev:1;) alert tcp $HOME_NET any -> [18.175.136.240] 1604 (msg:"ThreatFox BlackShades botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520620/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91520620; rev:1;) alert tcp $HOME_NET any -> [67.213.108.79] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520619/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91520619; rev:1;) alert tcp $HOME_NET any -> [204.48.27.82] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520618/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91520618; rev:1;) alert tcp $HOME_NET any -> [43.246.208.241] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520617/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91520617; rev:1;) alert tcp $HOME_NET any -> [46.142.145.12] 80 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520616/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91520616; rev:1;) alert tcp $HOME_NET any -> [183.63.173.29] 8011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520615/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91520615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rwdfn.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juhd"; depth:5; nocase; http.host; content:"zovercovtcg.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520612/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogapds"; depth:7; nocase; http.host; content:"flamingof.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520611/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520611; rev:1;) alert tcp $HOME_NET any -> [54.218.2.134] 1553 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520610/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rhbqx.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520576/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520576; rev:1;) alert tcp $HOME_NET any -> [23.249.29.117] 8888 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520572/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520572; rev:1;) alert tcp $HOME_NET any -> [61.156.44.221] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520571/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520571; rev:1;) alert tcp $HOME_NET any -> [27.152.182.60] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520570/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520570; rev:1;) alert tcp $HOME_NET any -> [218.28.104.157] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520567/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520567; rev:1;) alert tcp $HOME_NET any -> [218.60.175.252] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520568/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520568; rev:1;) alert tcp $HOME_NET any -> [125.76.82.109] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520565/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520565; rev:1;) alert tcp $HOME_NET any -> [123.249.20.20] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520564/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520564; rev:1;) alert tcp $HOME_NET any -> [117.148.177.211] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520563/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_13; classtype:trojan-activity; sid:91520563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jvlmr.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pipepythonphpprotectlocal.php"; depth:30; nocase; http.host; content:"188.93.211.136"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520561/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nrfwj.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520375/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.255.183.56"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520374/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_13; classtype:trojan-activity; sid:91520374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pksns.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520373/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520373; rev:1;) alert tcp $HOME_NET any -> [196.119.246.17] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520372/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.accountyahoo.posteid-a365.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520367/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yahoorecovery.posteid-a365.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520368/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ebanking-ch1.ebanking-ch1.posteid-a365.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520369/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.dhl.posteid-a365.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520370/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onlineservices.onlineservices.posteid-a365.com"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.livelogin.posteid-a365.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520365/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.login.posteid-a365.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520366/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zdassets.loginpaxful.posteid-a365.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520362/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.accountgoogle.posteid-a365.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520363/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myaccount.google.posteid-a365.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520364/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520364; rev:1;) alert tcp $HOME_NET any -> [18.188.181.166] 135 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520360/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520360; rev:1;) alert tcp $HOME_NET any -> [18.188.181.166] 38985 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520361/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520361; rev:1;) alert tcp $HOME_NET any -> [18.143.179.51] 2403 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520358/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520358; rev:1;) alert tcp $HOME_NET any -> [51.20.189.124] 38248 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520359/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520359; rev:1;) alert tcp $HOME_NET any -> [51.89.205.214] 7878 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520357/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520357; rev:1;) alert tcp $HOME_NET any -> [185.239.237.78] 40120 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520356/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520356; rev:1;) alert tcp $HOME_NET any -> [45.141.233.47] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520355/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520355; rev:1;) alert tcp $HOME_NET any -> [107.172.79.21] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520354/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520354; rev:1;) alert tcp $HOME_NET any -> [179.14.13.169] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520353/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520353; rev:1;) alert tcp $HOME_NET any -> [172.111.189.20] 5671 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520352/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520352; rev:1;) alert tcp $HOME_NET any -> [23.94.169.141] 15684 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520351/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_13; classtype:trojan-activity; sid:91520351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mmgdt.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520350/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aliyun-prvhqgdlsj.cn-hangzhou.fcapp.run"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520349/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91520349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ffjdc.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520348/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520348; rev:1;) alert tcp $HOME_NET any -> [51.38.140.87] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520347/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vclpg.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520344/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520344; rev:1;) alert tcp $HOME_NET any -> [38.54.112.234] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520343/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91520343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"asusupdateserver.asuscomm.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520342/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91520342; rev:1;) alert tcp $HOME_NET any -> [75.2.43.104] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520341/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91520341; rev:1;) alert tcp $HOME_NET any -> [144.208.127.129] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520340/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91520340; rev:1;) alert tcp $HOME_NET any -> [107.152.33.179] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520339/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91520339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/webhooks/938420152268115979/gbld0enqkdwrwc8vme5in_nqlycyfzkn_wq48f9rbqwaf9o_29tnubwgjg2bfqlldn8s"; depth:101; nocase; http.host; content:"discord.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520337/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/831225076187660348/902512908485935114/shost.exe"; depth:60; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520338/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520338; rev:1;) alert tcp $HOME_NET any -> [68.235.43.14] 58849 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520336/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"suave0316.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520335/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aliendemon.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520333/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"williamou.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520334/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"hackeroibambini-38888.portmap.io"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520332/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"kpnoq8eil.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520331/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"view.mexcs.shop"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1520330/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"112.126.77.39"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520329/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520329; rev:1;) alert tcp $HOME_NET any -> [27.102.138.154] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520328/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520328; rev:1;) alert tcp $HOME_NET any -> [129.226.72.96] 9527 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520327/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520327; rev:1;) alert tcp $HOME_NET any -> [91.4.35.118] 80 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520326/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520326; rev:1;) alert tcp $HOME_NET any -> [223.109.175.247] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520325/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520325; rev:1;) alert tcp $HOME_NET any -> [176.100.37.198] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520323/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520323; rev:1;) alert tcp $HOME_NET any -> [209.200.252.75] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520324/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520324; rev:1;) alert tcp $HOME_NET any -> [45.33.88.161] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520321/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520321; rev:1;) alert tcp $HOME_NET any -> [93.115.172.185] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520322/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520322; rev:1;) alert tcp $HOME_NET any -> [209.141.34.106] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520320/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520320; rev:1;) alert tcp $HOME_NET any -> [185.196.11.90] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520318/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520318; rev:1;) alert tcp $HOME_NET any -> [162.248.225.187] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520319/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520319; rev:1;) alert tcp $HOME_NET any -> [51.89.115.254] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520317/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520317; rev:1;) alert tcp $HOME_NET any -> [45.141.233.34] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520316/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_12; classtype:trojan-activity; sid:91520316; rev:1;) alert tcp $HOME_NET any -> [95.214.55.246] 8282 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520315/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520315; rev:1;) alert tcp $HOME_NET any -> [27.106.125.187] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520314/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520314; rev:1;) alert tcp $HOME_NET any -> [104.37.172.227] 14645 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520313/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520313; rev:1;) alert tcp $HOME_NET any -> [118.178.187.223] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520312/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"licz.run"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520311/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"balp.run"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5p5vtys3n4"; depth:11; nocase; http.host; content:"captcha.suna.bet"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1bfb1f66.php"; depth:13; nocase; http.host; content:"atezzz.atwebpages.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nygz.run"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520292; rev:1;) alert tcp $HOME_NET any -> [47.239.129.136] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520289/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"junm.run"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520288/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520288; rev:1;) alert tcp $HOME_NET any -> [198.12.83.91] 40734 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520287/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biuropgcnc.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520285/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biuropgcncbk.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520286/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sulf.run"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520284/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"52.199.49.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520283/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91520283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jipg.run"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520282/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520282; rev:1;) alert tcp $HOME_NET any -> [156.244.13.67] 8080 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520281/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520281; rev:1;) alert tcp $HOME_NET any -> [81.0.247.170] 465 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520280/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520280; rev:1;) alert tcp $HOME_NET any -> [20.86.144.84] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520279/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520279; rev:1;) alert tcp $HOME_NET any -> [139.162.149.223] 8001 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520278/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520278; rev:1;) alert tcp $HOME_NET any -> [5.8.19.5] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520277/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520277; rev:1;) alert tcp $HOME_NET any -> [196.251.86.13] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520276; rev:1;) alert tcp $HOME_NET any -> [185.112.83.238] 4443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520275/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520275; rev:1;) alert tcp $HOME_NET any -> [83.149.72.49] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520274/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520274; rev:1;) alert tcp $HOME_NET any -> [196.251.69.233] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520273/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520273; rev:1;) alert tcp $HOME_NET any -> [47.117.95.84] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520272/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juhd"; depth:5; nocase; http.host; content:"qdoovercovtcg.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520271/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91520271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/twnt"; depth:5; nocase; http.host; content:"plumbbujjh.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520270/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91520270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xelw.run"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520269/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lanz"; depth:5; nocase; http.host; content:"dflowerexju.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520268/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91520268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mnvzx"; depth:6; nocase; http.host; content:"nzmedtipp.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520267/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91520267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bnaz"; depth:5; nocase; http.host; content:"hvoznessxyy.life"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520266/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91520266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juhd"; depth:5; nocase; http.host; content:"covercovtcg.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520265/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91520265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qupt.run"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520262/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lykr.run"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520261/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pdal"; depth:5; nocase; http.host; content:"ifeaturlyin.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520260/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91520260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juhd"; depth:5; nocase; http.host; content:"8overcovtcg.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520259/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91520259; rev:1;) alert tcp $HOME_NET any -> [209.54.102.133] 8076 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520258/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91520258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs/select.js"; depth:13; nocase; http.host; content:"chinapark.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520247/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"chinapark.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520248/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs/lll.php"; depth:11; nocase; http.host; content:"chinapark.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520249/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fsco.zip"; depth:9; nocase; http.host; content:"totalsolucao.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520250/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.roammco.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520252/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"totalsolucao.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520251/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profilelayout"; depth:14; nocase; http.host; content:"www.roammco.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520254/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520254; rev:1;) alert tcp $HOME_NET any -> [151.242.69.94] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520228/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520228; rev:1;) alert tcp $HOME_NET any -> [39.100.106.36] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520227/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520227; rev:1;) alert tcp $HOME_NET any -> [121.37.237.16] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520226/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dynk.run"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520253/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520253; rev:1;) alert tcp $HOME_NET any -> [8.153.204.140] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520246/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91520246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tvmovies.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520244/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91520244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"udevd.microsoftools.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520245/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91520245; rev:1;) alert tcp $HOME_NET any -> [38.46.13.82] 27997 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520243/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520243; rev:1;) alert tcp $HOME_NET any -> [118.107.46.23] 27979 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520242/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cp.exchangeodds.live"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520241/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-2-45-248-130.cust.vodafonedsl.it"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520240/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520240; rev:1;) alert tcp $HOME_NET any -> [109.69.62.228] 7777 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520239/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520239; rev:1;) alert tcp $HOME_NET any -> [196.251.80.235] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520238/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520238; rev:1;) alert tcp $HOME_NET any -> [176.65.142.228] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520237/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520237; rev:1;) alert tcp $HOME_NET any -> [103.136.150.193] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520236/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520236; rev:1;) alert tcp $HOME_NET any -> [216.250.253.128] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520235/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520235; rev:1;) alert tcp $HOME_NET any -> [47.100.87.118] 8043 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520234/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520234; rev:1;) alert tcp $HOME_NET any -> [43.139.104.79] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520233; rev:1;) alert tcp $HOME_NET any -> [154.201.83.215] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520232/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520232; rev:1;) alert tcp $HOME_NET any -> [1.92.100.230] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520231/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520231; rev:1;) alert tcp $HOME_NET any -> [121.41.97.26] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520229/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520229; rev:1;) alert tcp $HOME_NET any -> [8.153.205.30] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520230/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520230; rev:1;) alert tcp $HOME_NET any -> [103.159.50.40] 8080 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520225/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91520225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jeqov.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520224/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91520224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tofukai.cfd"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519952/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519952; rev:1;) alert tcp $HOME_NET any -> [154.197.69.150] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520223/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91520223; rev:1;) alert tcp $HOME_NET any -> [45.137.22.119] 15302 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1520222/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"kabla.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520221/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"byamba.webredirect.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520220/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rimeone.fun"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520203/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.romof.irish"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520204/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ronbloodtattoos.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520205/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ryt.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520206/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.scritorioonline.store"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520207/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.sghgs.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520208/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.spainproxy129.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520209/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.tfe2f.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520210/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.tp-jos178-a1.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520211/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ubliccnfdcbqae.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520212/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.usclecarsales.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520213/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ustraliafamilycare.store"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520214/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.vatardesigns.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520215/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.vx1s297.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520216/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.y71751.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520217/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.yesite.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520218/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.zcc90.sbs"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520219/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.nsitechsolatam.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520183/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ntelligenceplatform.xyz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520184/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ochafariasbusiness.online"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520185/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.odeinfra.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520186/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.omfortemporium.online"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520187/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ommodity-market-29.click"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520188/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.oogleplay.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520189/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ordphanter.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520190/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ouasd.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520191/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.oyle-lawgroup.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520192/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.pblanket.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520193/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.pcuappconnect-7x.online"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520194/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.perturear.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520195/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rade-your-teacher.store"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520196/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.raft-opia.app"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520197/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rainontheterrain.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520198/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rca-nc-test-13.fyi"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520199/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.reaatendimento.online"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520200/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.reefiremaxapk.pro"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520201/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ridgingruralcommunities.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520202/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.iomar.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520162/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.iringpartnersinc.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520163/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ishlist.run"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520164/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.isneyai.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520165/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.itmap.group"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520166/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.itness-center-id-5619388.world"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520167/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ivajjmahal.shop"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520168/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.jhekite.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520169/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.lainfacedproductions.xyz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520170/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.laza.construction"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520171/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.lexacons.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520172/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ljorge.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520173/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.llabordage-team.tech"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520174/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.lus-size-swimsuit.today"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520175/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.msp672.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520176/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.naughtbooks.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520177/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.naycrystalsava.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520178/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ncryptchat.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520179/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ndreas-marketing.xyz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520180/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.nipers.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520181/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.notherattributeecosystem.pro"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520182/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.eilaiquan.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520141/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.eltatechnologies.info"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520142/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.elzz.store"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520143/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.emzone.asia"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520144/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.eomappa.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520145/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ercowboy.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520146/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.erityhub.tech"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520147/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.esignedbyclaire.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520148/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.etrev.world"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520149/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.etwaymkrwell.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520150/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.eviewyourdata.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520151/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.fghfghf.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520152/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.gbdth.cfd"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520153/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.gencewebinaire.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520154/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.gkdemy.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520155/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.hatchadoin.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520156/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.hcar.asia"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520157/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.hescxpoi.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520158/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.iami-florida-county.cfd"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520159/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.idas-development.info"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520160/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.implyhome.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520161/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ar79872479489.today"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520119/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ardedout.store"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520120/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.arehouse-jobs-52853.bond"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520121/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.arkettelligence.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520122/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.arveno.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520123/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.asereward.cloud"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520124/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.asternky.university"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520125/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ataleague.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520126/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.avada129.casino"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520127/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.avada566.casino"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520128/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.azerian.fun"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520129/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.b-us-stone-panels-27f.today"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520130/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.conomicaccelerationzones.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520131/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.devgirdi.cfd"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520132/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.dgx0i.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520133/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.eaconfactory.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520134/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ealallergystudyhall.online"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520135/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.eddingready.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520136/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.eforcertx5090.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520137/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.egapay.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520138/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.egapersoneaals.online"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520139/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.egapromodealsdirect.world"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520140/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.3groupe.business"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520100/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.4249984.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520101/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.4249987.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520102/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.4260380.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520103/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.4260576.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520104/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.4270911.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520105/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.4loj.cyou"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520106/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.6wvpeijflqtm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520107/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.8299.vip"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520108/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.acauchocolateonline.shop"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520109/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ahamasskate.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520110/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.aiasangels.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520111/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ailis.cfd"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520112/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.alancedteam.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520113/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ameweb.cloud"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520114/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.aminvip3210.sbs"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520115/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ammem.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520116/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.andersbro.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520117/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ar6toprea.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520118/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.0189.vip"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520092/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.06157.club"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520093/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.0929.locker"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520094/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.0psrx.sbs"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520095/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.1500.sbs"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520096/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.1kkee321.lat"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520097/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.20840682.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520098/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.2345bgnrty.lol"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1520099/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.vatardesigns.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520087/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.vx1s297.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520088/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.y71751.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520089/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.yesite.online"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520090/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.zcc90.sbs"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520091/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.romof.irish"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520076/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.ronbloodtattoos.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520077/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.ryt.net"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520078/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.scritorioonline.store"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520079/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.sghgs.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520080/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.spainproxy129.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520081/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.tfe2f.shop"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520082/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.tp-jos178-a1.online"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520083/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.ubliccnfdcbqae.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520084/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.usclecarsales.online"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520085/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.ustraliafamilycare.store"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520086/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.pcuappconnect-7x.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520066/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.perturear.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520067/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.rade-your-teacher.store"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520068/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.raft-opia.app"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520069/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.rainontheterrain.net"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520070/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.rca-nc-test-13.fyi"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520071/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.reaatendimento.online"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520072/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.reefiremaxapk.pro"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520073/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.ridgingruralcommunities.net"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520074/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.rimeone.fun"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520075/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.ntelligenceplatform.xyz"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520056/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.ochafariasbusiness.online"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520057/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.odeinfra.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520058/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.omfortemporium.online"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520059/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.ommodity-market-29.click"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520060/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.oogleplay.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520061/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.ordphanter.info"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520062/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.ouasd.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520063/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.oyle-lawgroup.online"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520064/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.pblanket.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520065/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.lus-size-swimsuit.today"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520046/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.mallelectricarsgb.bond"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520047/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.msp672.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520048/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.naughtbooks.info"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520049/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.naycrystalsava.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520050/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.ncryptchat.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520051/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.ndreas-marketing.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520052/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.nipers.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520053/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.notherattributeecosystem.pro"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520054/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.nsitechsolatam.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520055/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.itmap.group"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520036/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.itness-center-id-5619388.world"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520037/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.ivajjmahal.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520038/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.jhekite.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520039/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.lainfacedproductions.xyz"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520040/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.laza.construction"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520041/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.lexacons.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520042/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.limpsepublishing.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520043/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.ljorge.online"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520044/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.llabordage-team.tech"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520045/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.hatchadoin.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520026/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.hcar.asia"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520027/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.hescxpoi.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520028/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.iami-florida-county.cfd"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520029/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.idas-development.info"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520030/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.implyhome.info"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520031/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.iomar.biz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520032/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.iringpartnersinc.net"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520033/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.ishlist.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520034/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.isneyai.online"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520035/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.ercowboy.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520016/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.erityhub.tech"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520017/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.esignedbyclaire.info"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520018/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.etrev.world"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520019/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.etwaymkrwell.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520020/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.eviewyourdata.online"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520021/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.fghfghf.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520022/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.gbdth.cfd"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520023/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.gencewebinaire.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520024/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.gkdemy.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520025/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.ealallergystudyhall.online"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520005/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.eddingready.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520006/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.eforcertx5090.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520007/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.egapay.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520008/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.egapersoneaals.online"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520009/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.egapromodealsdirect.world"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520010/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.eilaiquan.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520011/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.eltatechnologies.info"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520012/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.elzz.store"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520013/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.emzone.asia"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520014/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.eomappa.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520015/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.asereward.cloud"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519994/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.asternky.university"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519995/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.ataleague.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519996/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.avada129.casino"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519997/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.avada566.casino"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519998/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.azerian.fun"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519999/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.b-us-stone-panels-27f.today"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520000/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.conomicaccelerationzones.net"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520001/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.devgirdi.cfd"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520002/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.dgx0i.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520003/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.eaconfactory.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1520004/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91520004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.alancedteam.info"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519983/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.ameweb.cloud"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519984/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.aminvip3210.sbs"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519985/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.ammem.info"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519986/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.andersbro.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519987/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.ar6toprea.online"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519988/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.ar79872479489.today"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519989/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.ardedout.store"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519990/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.arehouse-jobs-52853.bond"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519991/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.arkettelligence.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519992/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.arveno.online"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519993/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.4260380.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519973/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.4260576.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519974/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.4270911.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519975/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.4loj.cyou"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519976/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.6wvpeijflqtm.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519977/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.8299.vip"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519978/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.acauchocolateonline.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519979/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.ahamasskate.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519980/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.aiasangels.online"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519981/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.ailis.cfd"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519982/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.0189.vip"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519962/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.06157.club"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519963/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.0929.locker"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519964/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.0psrx.sbs"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519965/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.1500.sbs"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519966/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.1kkee321.lat"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519967/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.20840682.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519968/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.2345bgnrty.lol"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519969/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp18/"; depth:6; nocase; http.host; content:"www.3groupe.business"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519970/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.4249984.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519971/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o82h/"; depth:6; nocase; http.host; content:"www.4249987.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519972/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519972; rev:1;) alert tcp $HOME_NET any -> [3.22.65.167] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519961/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519961; rev:1;) alert tcp $HOME_NET any -> [196.251.80.173] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519960/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519960; rev:1;) alert tcp $HOME_NET any -> [82.29.71.164] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519959/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519959; rev:1;) alert tcp $HOME_NET any -> [8.134.80.60] 12345 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519958/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519958; rev:1;) alert tcp $HOME_NET any -> [176.65.141.47] 7070 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519957/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519957; rev:1;) alert tcp $HOME_NET any -> [176.65.142.31] 9090 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519956/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519956; rev:1;) alert tcp $HOME_NET any -> [196.251.86.199] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519955/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519955; rev:1;) alert tcp $HOME_NET any -> [45.40.245.61] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519954/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519954; rev:1;) alert tcp $HOME_NET any -> [149.28.131.74] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519953/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519953; rev:1;) alert tcp $HOME_NET any -> [81.0.247.170] 587 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519949/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519949; rev:1;) alert tcp $HOME_NET any -> [81.0.247.170] 993 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519950/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519950; rev:1;) alert tcp $HOME_NET any -> [81.0.247.170] 995 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519951/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csp.posteid-a365.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519944/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519944; rev:1;) alert tcp $HOME_NET any -> [81.0.247.170] 25 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519945/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519945; rev:1;) alert tcp $HOME_NET any -> [81.0.247.170] 110 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519946/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519946; rev:1;) alert tcp $HOME_NET any -> [81.0.247.170] 143 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519947/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519947; rev:1;) alert tcp $HOME_NET any -> [81.0.247.170] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519948/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"access.accessingdiba.posteid-a365.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519941/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.exchangeodds.live"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519942/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c.paypal.posteid-a365.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519943/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519943; rev:1;) alert tcp $HOME_NET any -> [18.171.211.137] 5432 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519940/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519940; rev:1;) alert tcp $HOME_NET any -> [62.146.224.126] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519939; rev:1;) alert tcp $HOME_NET any -> [5.8.19.5] 2053 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519938/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519938; rev:1;) alert tcp $HOME_NET any -> [54.211.188.176] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519937; rev:1;) alert tcp $HOME_NET any -> [88.229.2.85] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dazzling-dhawan.94-156-177-241.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519934/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519934; rev:1;) alert tcp $HOME_NET any -> [88.229.2.85] 111 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519935; rev:1;) alert tcp $HOME_NET any -> [172.111.137.162] 46167 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519932/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519932; rev:1;) alert tcp $HOME_NET any -> [80.77.25.233] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519933; rev:1;) alert tcp $HOME_NET any -> [216.219.85.188] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519931/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519931; rev:1;) alert tcp $HOME_NET any -> [154.222.21.53] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519930; rev:1;) alert tcp $HOME_NET any -> [152.32.164.186] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"45.194.17.148"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tt.cbrw.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"coinomi.space"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519923/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_12; classtype:trojan-activity; sid:91519923; rev:1;) alert tcp $HOME_NET any -> [149.88.71.241] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519924; rev:1;) alert tcp $HOME_NET any -> [5.75.210.140] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"32.aa.4t.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"32.aa.4t.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.210.140"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519925; rev:1;) alert tcp $HOME_NET any -> [154.21.201.41] 80 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baneb"; depth:6; nocase; http.host; content:"taraucahkbm.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519918/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bgry"; depth:5; nocase; http.host; content:"gblackswmxc.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519917/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juhd"; depth:5; nocase; http.host; content:"eovercovtcg.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519916/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519916; rev:1;) alert tcp $HOME_NET any -> [196.251.115.153] 3421 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519915/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juhd"; depth:5; nocase; http.host; content:"povercovtcg.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519914/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519914; rev:1;) alert tcp $HOME_NET any -> [172.111.224.98] 3911 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519913/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baneb"; depth:6; nocase; http.host; content:"uaraucahkbm.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519912/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juhd"; depth:5; nocase; http.host; content:"qovercovtcg.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519910/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/akds"; depth:5; nocase; http.host; content:"qposseswsnc.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519911/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zavc"; depth:5; nocase; http.host; content:"qeasterxeen.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519909/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekp"; depth:5; nocase; http.host; content:"ometeorplyp.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519908/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bgry"; depth:5; nocase; http.host; content:"oblackswmxc.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519907/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/akds"; depth:5; nocase; http.host; content:"ngposseswsnc.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519906/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lanz"; depth:5; nocase; http.host; content:"iflowerexju.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519905/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bgry"; depth:5; nocase; http.host; content:"fblackswmxc.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519904/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bgry"; depth:5; nocase; http.host; content:"eblackswmxc.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519903/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekp"; depth:5; nocase; http.host; content:"1meteorplyp.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519902/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botangroup.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519901/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pdal"; depth:5; nocase; http.host; content:"xfeaturlyin.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519900/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bgry"; depth:5; nocase; http.host; content:"wblackswmxc.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519899/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pdal"; depth:5; nocase; http.host; content:"tfeaturlyin.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519898/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baneb"; depth:6; nocase; http.host; content:"gsaraucahkbm.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519896/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bgry"; depth:5; nocase; http.host; content:"lblackswmxc.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519897/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juhd"; depth:5; nocase; http.host; content:"govercovtcg.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519895/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juab"; depth:5; nocase; http.host; content:"dinterpwthc.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519894/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bmx"; depth:4; nocase; http.host; content:"barmgek.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519893/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pdal"; depth:5; nocase; http.host; content:"9featurlyin.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519892/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekp"; depth:5; nocase; http.host; content:"5-4meteorplyp.live"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519890/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/akds"; depth:5; nocase; http.host; content:"6posseswsnc.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519891/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lznd"; depth:5; nocase; http.host; content:"0wninepicchf.bet"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519889/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sheetmorning.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519888/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coachhoney.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519887/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519887; rev:1;) alert tcp $HOME_NET any -> [147.185.221.28] 24405 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519886/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tri.php"; depth:8; nocase; http.host; content:"crowsalt.icu"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519885/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"institute-trademarks.gl.at.ply.gg"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519884/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cursuve.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519883/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"badass3456-45555.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519872/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dagodnox.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519873/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"elhombre3176-56154.portmap.io"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519874/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"harbingerofdeath-46635.portmap.io"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519875/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"haroborobo971-30110.portmap.host"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519876/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"impala701-47727.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519877/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mongrel38-43817.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519878/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pearlharbor953-54421.portmap.host"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519879/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rawcostura80-56041.portmap.io"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519880/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"shirosensei2486-37140.portmap.host"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519881/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zuckkyrabi198-60433.portmap.io"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519882/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519882; rev:1;) alert tcp $HOME_NET any -> [83.52.140.245] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519869/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519869; rev:1;) alert tcp $HOME_NET any -> [83.58.129.56] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519870/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519870; rev:1;) alert tcp $HOME_NET any -> [116.38.148.218] 5505 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519871/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"members-path.at.playit.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519867/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"plutoniumxxx.kro.kr"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519868/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519868; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 39536 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519865/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519865; rev:1;) alert tcp $HOME_NET any -> [45.134.140.162] 55960 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519866/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aprendizleao.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519863/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"xxxploit.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519864/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"microsoftdefenderr.serveftp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519861/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"military-nelson.at.playit.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519862/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519862; rev:1;) alert tcp $HOME_NET any -> [95.68.221.95] 7777 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519860/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519860; rev:1;) alert tcp $HOME_NET any -> [118.237.151.254] 1492 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519859/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ss037.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519858/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519858; rev:1;) alert tcp $HOME_NET any -> [193.32.249.160] 54926 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519847/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519847; rev:1;) alert tcp $HOME_NET any -> [193.32.249.160] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519848/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519848; rev:1;) alert tcp $HOME_NET any -> [193.32.249.160] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519849/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519849; rev:1;) alert tcp $HOME_NET any -> [193.32.249.160] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519850/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519850; rev:1;) alert tcp $HOME_NET any -> [193.32.249.160] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519851/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519851; rev:1;) alert tcp $HOME_NET any -> [194.140.115.26] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519852/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519852; rev:1;) alert tcp $HOME_NET any -> [194.140.115.26] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519853/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519853; rev:1;) alert tcp $HOME_NET any -> [194.140.115.26] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519854/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519854; rev:1;) alert tcp $HOME_NET any -> [206.206.77.63] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519855/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519855; rev:1;) alert tcp $HOME_NET any -> [206.206.77.63] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519856/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519856; rev:1;) alert tcp $HOME_NET any -> [206.206.77.63] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519857/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/ohar02rduo"; depth:15; nocase; http.host; content:"textbin.net"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519846/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"view.mexcs.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519845/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/"; depth:5; nocase; http.host; content:"disciply.nl"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519844/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519844; rev:1;) alert tcp $HOME_NET any -> [113.45.75.229] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519843/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519843; rev:1;) alert tcp $HOME_NET any -> [27.102.138.154] 443 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519842/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519842; rev:1;) alert tcp $HOME_NET any -> [104.37.4.144] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519841/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519841; rev:1;) alert tcp $HOME_NET any -> [8.222.139.189] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519840/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"roomplot.icu"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519839/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519839; rev:1;) alert tcp $HOME_NET any -> [154.39.150.23] 443 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519838/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519838; rev:1;) alert tcp $HOME_NET any -> [192.3.199.107] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519837/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519837; rev:1;) alert tcp $HOME_NET any -> [43.139.124.56] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519834/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519834; rev:1;) alert tcp $HOME_NET any -> [101.43.94.35] 180 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519835/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519835; rev:1;) alert tcp $HOME_NET any -> [47.120.45.216] 8055 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519836/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519836; rev:1;) alert tcp $HOME_NET any -> [150.109.45.37] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519833/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_12; classtype:trojan-activity; sid:91519833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/index.php"; depth:14; nocase; http.host; content:"traveljournal-techinsights.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519832/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519832; rev:1;) alert tcp $HOME_NET any -> [47.122.20.70] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519831/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519831; rev:1;) alert tcp $HOME_NET any -> [185.227.152.100] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519830/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519830; rev:1;) alert tcp $HOME_NET any -> [115.159.71.204] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519829/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"neguh.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519828/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519828; rev:1;) alert tcp $HOME_NET any -> [82.66.215.115] 8096 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519813/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519813; rev:1;) alert tcp $HOME_NET any -> [3.109.121.218] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519814/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519814; rev:1;) alert tcp $HOME_NET any -> [35.156.20.50] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519815/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519815; rev:1;) alert tcp $HOME_NET any -> [35.156.20.50] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519816/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519816; rev:1;) alert tcp $HOME_NET any -> [137.220.205.227] 9090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519817/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519817; rev:1;) alert tcp $HOME_NET any -> [137.220.205.225] 9090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519818/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519818; rev:1;) alert tcp $HOME_NET any -> [111.90.151.147] 2083 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519819/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519819; rev:1;) alert tcp $HOME_NET any -> [80.79.7.239] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519820/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519820; rev:1;) alert tcp $HOME_NET any -> [1.214.64.187] 8088 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519821/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519821; rev:1;) alert tcp $HOME_NET any -> [23.95.216.90] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519822/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519822; rev:1;) alert tcp $HOME_NET any -> [64.23.148.212] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519823/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519823; rev:1;) alert tcp $HOME_NET any -> [104.168.148.26] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519824/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.tempoestil.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519807/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"autodiscover.tempoestil.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519808/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519808; rev:1;) alert tcp $HOME_NET any -> [91.222.173.167] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519809/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519809; rev:1;) alert tcp $HOME_NET any -> [31.59.184.185] 2053 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519810/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519810; rev:1;) alert tcp $HOME_NET any -> [112.193.145.30] 8244 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519811/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519811; rev:1;) alert tcp $HOME_NET any -> [176.65.138.55] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519812/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.tempoestil.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519806/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519806; rev:1;) alert tcp $HOME_NET any -> [196.251.118.253] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519805/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519805; rev:1;) alert tcp $HOME_NET any -> [43.132.120.20] 28371 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519803/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_12; classtype:trojan-activity; sid:91519803; rev:1;) alert tcp $HOME_NET any -> [176.65.141.111] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519804/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sst.zidd0o.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519801/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519801; rev:1;) alert tcp $HOME_NET any -> [196.251.71.99] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519802/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"playnest.tech"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519800/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519800; rev:1;) alert tcp $HOME_NET any -> [185.156.72.19] 416 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519618/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519618; rev:1;) alert tcp $HOME_NET any -> [185.156.72.19] 424 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519619/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519619; rev:1;) alert tcp $HOME_NET any -> [185.156.72.19] 425 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519620/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519620; rev:1;) alert tcp $HOME_NET any -> [185.156.72.19] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519621/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519621; rev:1;) alert tcp $HOME_NET any -> [185.156.72.43] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519622/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519622; rev:1;) alert tcp $HOME_NET any -> [185.156.72.19] 418 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519623/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519623; rev:1;) alert tcp $HOME_NET any -> [185.156.72.19] 419 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519624/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519624; rev:1;) alert tcp $HOME_NET any -> [185.156.72.43] 419 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519625/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519625; rev:1;) alert tcp $HOME_NET any -> [185.156.72.19] 420 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519626/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519626; rev:1;) alert tcp $HOME_NET any -> [185.156.72.43] 426 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519627/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519627; rev:1;) alert tcp $HOME_NET any -> [185.156.72.43] 424 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519628/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519628; rev:1;) alert tcp $HOME_NET any -> [185.156.72.19] 423 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519629; rev:1;) alert tcp $HOME_NET any -> [185.156.72.19] 429 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519630/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519630; rev:1;) alert tcp $HOME_NET any -> [185.156.72.43] 422 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519631/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519631; rev:1;) alert tcp $HOME_NET any -> [185.156.72.19] 430 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519632/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519632; rev:1;) alert tcp $HOME_NET any -> [185.156.72.43] 425 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519633/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519633; rev:1;) alert tcp $HOME_NET any -> [185.156.72.43] 423 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519634/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519634; rev:1;) alert tcp $HOME_NET any -> [185.156.72.19] 422 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519635/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519635; rev:1;) alert tcp $HOME_NET any -> [185.156.72.43] 429 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519636/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519636; rev:1;) alert tcp $HOME_NET any -> [185.156.72.43] 416 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519637/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519637; rev:1;) alert tcp $HOME_NET any -> [185.156.72.19] 426 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519638; rev:1;) alert tcp $HOME_NET any -> [185.156.72.19] 428 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519639/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519639; rev:1;) alert tcp $HOME_NET any -> [185.156.72.19] 421 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519640/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519640; rev:1;) alert tcp $HOME_NET any -> [185.156.72.43] 420 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519641; rev:1;) alert tcp $HOME_NET any -> [185.156.72.43] 418 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519642/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519642; rev:1;) alert tcp $HOME_NET any -> [185.156.72.43] 421 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"godblessyou.world"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blessyoumother.world"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519645; rev:1;) alert tcp $HOME_NET any -> [185.156.72.43] 417 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519725/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519725; rev:1;) alert tcp $HOME_NET any -> [185.39.17.38] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519794/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519794; rev:1;) alert tcp $HOME_NET any -> [83.222.190.174] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519795/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519795; rev:1;) alert tcp $HOME_NET any -> [185.156.72.19] 417 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519796/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519796; rev:1;) alert tcp $HOME_NET any -> [185.156.72.43] 430 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519797/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"traxanhc2.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519827/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519827; rev:1;) alert tcp $HOME_NET any -> [103.252.137.107] 12121 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519826/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519826; rev:1;) alert tcp $HOME_NET any -> [185.156.72.43] 428 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519825/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"electrurm.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519583/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519583; rev:1;) alert tcp $HOME_NET any -> [31.57.243.142] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519582/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519582; rev:1;) alert tcp $HOME_NET any -> [49.232.128.209] 3306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519601/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519601; rev:1;) alert tcp $HOME_NET any -> [175.178.120.225] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519799/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"14j1eqpwe044f.cfc-execute.bj.baidubce.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519798/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_12; classtype:trojan-activity; sid:91519798; rev:1;) alert tcp $HOME_NET any -> [13.38.77.215] 59555 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519615/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519615; rev:1;) alert tcp $HOME_NET any -> [79.239.114.113] 62843 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519616/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519616; rev:1;) alert tcp $HOME_NET any -> [13.247.182.227] 9999 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519617/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519617; rev:1;) alert tcp $HOME_NET any -> [31.59.184.185] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519614; rev:1;) alert tcp $HOME_NET any -> [143.110.183.41] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519613/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bestwallet.my-profai.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519611/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tradingview.little-mouse.xyz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519612/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519612; rev:1;) alert tcp $HOME_NET any -> [196.251.118.253] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519609/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519609; rev:1;) alert tcp $HOME_NET any -> [176.65.134.77] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519610/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519610; rev:1;) alert tcp $HOME_NET any -> [112.126.77.39] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519608/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519608; rev:1;) alert tcp $HOME_NET any -> [94.237.82.115] 4443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519607/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519607; rev:1;) alert tcp $HOME_NET any -> [77.90.185.28] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519606/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519606; rev:1;) alert tcp $HOME_NET any -> [47.120.37.142] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519603/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519603; rev:1;) alert tcp $HOME_NET any -> [106.53.191.52] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519604/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519604; rev:1;) alert tcp $HOME_NET any -> [106.53.191.52] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519605/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519605; rev:1;) alert tcp $HOME_NET any -> [45.219.226.29] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519602/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_12; classtype:trojan-activity; sid:91519602; rev:1;) alert tcp $HOME_NET any -> [43.255.159.28] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519600/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sijyh.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519599/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519599; rev:1;) alert tcp $HOME_NET any -> [14.128.63.6] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519598/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519598; rev:1;) alert tcp $HOME_NET any -> [46.236.195.130] 87 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519597/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519597; rev:1;) alert tcp $HOME_NET any -> [23.24.41.225] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519596/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519596; rev:1;) alert tcp $HOME_NET any -> [141.147.108.142] 80 (msg:"ThreatFox Chaos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519594/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519594; rev:1;) alert tcp $HOME_NET any -> [121.9.235.32] 54681 (msg:"ThreatFox Chaos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519595/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519595; rev:1;) alert tcp $HOME_NET any -> [18.177.128.103] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519593/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519593; rev:1;) alert tcp $HOME_NET any -> [196.251.73.47] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519591/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519591; rev:1;) alert tcp $HOME_NET any -> [154.21.201.16] 7878 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519592/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519592; rev:1;) alert tcp $HOME_NET any -> [193.143.1.236] 80 (msg:"ThreatFox Poseidon Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519590/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519590; rev:1;) alert tcp $HOME_NET any -> [176.65.142.228] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519589/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519589; rev:1;) alert tcp $HOME_NET any -> [49.113.73.193] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519588/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519588; rev:1;) alert tcp $HOME_NET any -> [185.112.83.238] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519587/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519587; rev:1;) alert tcp $HOME_NET any -> [103.157.28.180] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519586/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519586; rev:1;) alert tcp $HOME_NET any -> [103.131.131.92] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519585/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cv.cbrw.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519584/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phppacketmultibaseuniversaltrackuploadsdownloads.php"; depth:53; nocase; http.host; content:"212194cm.nyashware.ru"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519581/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519581; rev:1;) alert tcp $HOME_NET any -> [217.198.5.240] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519580/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519580; rev:1;) alert tcp $HOME_NET any -> [185.227.152.100] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519579/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519579; rev:1;) alert tcp $HOME_NET any -> [176.98.178.4] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519577/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519577; rev:1;) alert tcp $HOME_NET any -> [176.98.178.55] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519578/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sorov.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519501/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kepov.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519556/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519556; rev:1;) alert tcp $HOME_NET any -> [80.66.75.39] 420 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519504/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pexab.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519523/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ciwid.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519557/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mygar.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519558/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"electrurn.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519559/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"electrurn.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519560/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"skyprotech.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519576/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ns1.shamless.sbs"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519575/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"metalliko-industr.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519574/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519574; rev:1;) alert tcp $HOME_NET any -> [49.228.131.165] 2427 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lancery.digital"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519572/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"samrat4-56907.portmap.io"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519571/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dhaker.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519569/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"raypun.eastus.cloudapp.azure.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519570/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519570; rev:1;) alert tcp $HOME_NET any -> [31.128.216.7] 7777 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519568/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519568; rev:1;) alert tcp $HOME_NET any -> [45.151.62.134] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519566/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519566; rev:1;) alert tcp $HOME_NET any -> [159.223.205.104] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519567/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519567; rev:1;) alert tcp $HOME_NET any -> [54.252.215.88] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519565/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519565; rev:1;) alert tcp $HOME_NET any -> [43.156.57.179] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519564/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519564; rev:1;) alert tcp $HOME_NET any -> [47.238.140.204] 8990 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519563/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519563; rev:1;) alert tcp $HOME_NET any -> [47.120.45.216] 9009 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519562/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519562; rev:1;) alert tcp $HOME_NET any -> [47.236.58.201] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519561/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519561; rev:1;) alert tcp $HOME_NET any -> [4.193.160.64] 8081 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519555/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519555; rev:1;) alert tcp $HOME_NET any -> [51.89.204.75] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519554/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519554; rev:1;) alert tcp $HOME_NET any -> [102.117.163.86] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519551/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519551; rev:1;) alert tcp $HOME_NET any -> [193.23.219.54] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519552/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519552; rev:1;) alert tcp $HOME_NET any -> [176.65.144.221] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519553/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519553; rev:1;) alert tcp $HOME_NET any -> [176.65.141.225] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519549/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519549; rev:1;) alert tcp $HOME_NET any -> [176.65.142.228] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519550/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519550; rev:1;) alert tcp $HOME_NET any -> [206.238.115.155] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519545/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519545; rev:1;) alert tcp $HOME_NET any -> [3.215.185.215] 6001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519546/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519546; rev:1;) alert tcp $HOME_NET any -> [176.65.141.225] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519547/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519547; rev:1;) alert tcp $HOME_NET any -> [176.65.141.225] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519548/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magical-lumiere.94-156-177-241.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519543/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519543; rev:1;) alert tcp $HOME_NET any -> [120.53.15.200] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519544/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519544; rev:1;) alert tcp $HOME_NET any -> [193.26.115.199] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519541/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519541; rev:1;) alert tcp $HOME_NET any -> [191.96.207.235] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519542/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519542; rev:1;) alert tcp $HOME_NET any -> [152.136.145.153] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519540/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519540; rev:1;) alert tcp $HOME_NET any -> [38.207.179.194] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519539/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519539; rev:1;) alert tcp $HOME_NET any -> [116.62.30.120] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519538/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"login.mexc-signin.kro.kr"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519537/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"login.mexc-signin.kro.kr"; depth:24; nocase; reference:url, threatfox.abuse.ch/ioc/1519536/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519536; rev:1;) alert tcp $HOME_NET any -> [185.196.11.181] 9908 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519535/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519535; rev:1;) alert tcp $HOME_NET any -> [176.65.134.78] 45682 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519534/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"1re0-61442.portmap.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519533/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"djkms-32561.portmap.host"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519532/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519532; rev:1;) alert tcp $HOME_NET any -> [117.72.119.212] 9205 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519530/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519530; rev:1;) alert tcp $HOME_NET any -> [158.247.247.157] 443 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519529/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519529; rev:1;) alert tcp $HOME_NET any -> [45.138.159.2] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519528/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519528; rev:1;) alert tcp $HOME_NET any -> [110.43.68.80] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519527/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519527; rev:1;) alert tcp $HOME_NET any -> [135.220.19.84] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519526/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519526; rev:1;) alert tcp $HOME_NET any -> [156.251.179.116] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519525/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"61.3.26.117"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519524/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519524; rev:1;) alert tcp $HOME_NET any -> [161.97.116.56] 443 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519522/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519522; rev:1;) alert tcp $HOME_NET any -> [103.157.28.180] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519520/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519520; rev:1;) alert tcp $HOME_NET any -> [144.172.94.163] 2427 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519521/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519521; rev:1;) alert tcp $HOME_NET any -> [209.58.181.226] 6513 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519519/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519519; rev:1;) alert tcp $HOME_NET any -> [47.115.222.119] 8008 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519518/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519518; rev:1;) alert tcp $HOME_NET any -> [113.17.35.148] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519516/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519516; rev:1;) alert tcp $HOME_NET any -> [185.242.235.45] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519517/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519517; rev:1;) alert tcp $HOME_NET any -> [116.62.126.115] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519515/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519515; rev:1;) alert tcp $HOME_NET any -> [185.227.152.100] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519514/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519514; rev:1;) alert tcp $HOME_NET any -> [83.229.121.235] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519512/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519512; rev:1;) alert tcp $HOME_NET any -> [185.227.152.100] 2086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519513/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519513; rev:1;) alert tcp $HOME_NET any -> [92.63.197.45] 8443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519511/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519511; rev:1;) alert tcp $HOME_NET any -> [173.254.31.34] 21 (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519510/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ftp.fosna.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519509/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519509; rev:1;) alert tcp $HOME_NET any -> [110.4.45.197] 21 (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519508/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ftp.haliza.com.my"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519507/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519507; rev:1;) alert tcp $HOME_NET any -> [136.243.131.47] 21 (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519506/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ftp.hitplas.ro"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519505/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519505; rev:1;) alert tcp $HOME_NET any -> [54.198.212.23] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519503/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519503; rev:1;) alert tcp $HOME_NET any -> [24.158.35.3] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519502/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519502; rev:1;) alert tcp $HOME_NET any -> [177.124.72.27] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519500/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519500; rev:1;) alert tcp $HOME_NET any -> [15.197.85.202] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519499/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"odyssey-st.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519498/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"154.198.50.83"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519458/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519458; rev:1;) alert tcp $HOME_NET any -> [45.80.158.239] 5939 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519497/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"niggerkiller69.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519496/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"egirlcam.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519495/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519495; rev:1;) alert tcp $HOME_NET any -> [144.172.73.64] 9999 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519494/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519494; rev:1;) alert tcp $HOME_NET any -> [102.100.54.53] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519493/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519493; rev:1;) alert tcp $HOME_NET any -> [185.143.241.98] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519492/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cov.ph4nt0m.fr"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519491/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519491; rev:1;) alert tcp $HOME_NET any -> [88.229.2.85] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519489/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519489; rev:1;) alert tcp $HOME_NET any -> [88.229.2.85] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519490/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519490; rev:1;) alert tcp $HOME_NET any -> [177.124.72.27] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519488/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519488; rev:1;) alert tcp $HOME_NET any -> [172.111.244.103] 37830 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519487/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519487; rev:1;) alert tcp $HOME_NET any -> [139.9.92.182] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519486/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519486; rev:1;) alert tcp $HOME_NET any -> [209.74.81.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519484/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519484; rev:1;) alert tcp $HOME_NET any -> [139.9.92.182] 9001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519485/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519485; rev:1;) alert tcp $HOME_NET any -> [8.219.232.189] 2095 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519482/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519482; rev:1;) alert tcp $HOME_NET any -> [92.63.197.45] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519483/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519483; rev:1;) alert tcp $HOME_NET any -> [120.26.199.12] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519481/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519481; rev:1;) alert tcp $HOME_NET any -> [147.185.221.28] 23258 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519480/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/r9a1gjxb"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519479/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"irc.xinxin.cam"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519477/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"xenqxd-42269.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519478/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zizo.myftp.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519476/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"enzomtp.dragonia-pvp.fr"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519475/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dn-master.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519474/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"103.116.8.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519473/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"176.65.144.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519472/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519472; rev:1;) alert tcp $HOME_NET any -> [94.141.122.183] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519471/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519471; rev:1;) alert tcp $HOME_NET any -> [43.198.88.206] 13 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519470/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519470; rev:1;) alert tcp $HOME_NET any -> [95.131.202.38] 2083 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519469/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519469; rev:1;) alert tcp $HOME_NET any -> [107.189.18.56] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519468/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519468; rev:1;) alert tcp $HOME_NET any -> [212.11.64.225] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519467/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519467; rev:1;) alert tcp $HOME_NET any -> [217.160.208.94] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519465/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519465; rev:1;) alert tcp $HOME_NET any -> [144.202.86.212] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519466/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519466; rev:1;) alert tcp $HOME_NET any -> [185.234.247.119] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519462/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519462; rev:1;) alert tcp $HOME_NET any -> [107.172.29.162] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519463/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519463; rev:1;) alert tcp $HOME_NET any -> [107.152.33.179] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519464/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519464; rev:1;) alert tcp $HOME_NET any -> [101.43.94.35] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519461/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519461; rev:1;) alert tcp $HOME_NET any -> [185.208.159.224] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519460/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519460; rev:1;) alert tcp $HOME_NET any -> [115.175.39.35] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519459/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_11; classtype:trojan-activity; sid:91519459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fepez.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519457/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.joydome.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pixelpitstop.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519425/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gamespheres.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519426/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519426; rev:1;) alert tcp $HOME_NET any -> [8.131.118.10] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519427/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519427; rev:1;) alert tcp $HOME_NET any -> [13.209.176.201] 52683 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519428/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519428; rev:1;) alert tcp $HOME_NET any -> [45.192.104.206] 6003 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519429/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519429; rev:1;) alert tcp $HOME_NET any -> [3.215.185.215] 7001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519430/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519430; rev:1;) alert tcp $HOME_NET any -> [196.251.114.17] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519431/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519431; rev:1;) alert tcp $HOME_NET any -> [79.110.49.72] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519432/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519432; rev:1;) alert tcp $HOME_NET any -> [128.90.113.42] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519433/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519433; rev:1;) alert tcp $HOME_NET any -> [196.251.86.13] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519434/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpcalendars.tempoestil.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519435/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519435; rev:1;) alert tcp $HOME_NET any -> [176.65.144.114] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519436/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519436; rev:1;) alert tcp $HOME_NET any -> [20.217.80.197] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519437/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519437; rev:1;) alert tcp $HOME_NET any -> [47.109.190.151] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519438/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519438; rev:1;) alert tcp $HOME_NET any -> [177.39.220.26] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519439/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519439; rev:1;) alert tcp $HOME_NET any -> [54.90.199.244] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519440/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519440; rev:1;) alert tcp $HOME_NET any -> [81.70.236.111] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519441/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519441; rev:1;) alert tcp $HOME_NET any -> [193.123.83.19] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519442/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519442; rev:1;) alert tcp $HOME_NET any -> [159.89.162.159] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519443/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519443; rev:1;) alert tcp $HOME_NET any -> [5.255.118.52] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519444/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519444; rev:1;) alert tcp $HOME_NET any -> [13.60.65.130] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519445/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519445; rev:1;) alert tcp $HOME_NET any -> [92.36.141.43] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519446/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519446; rev:1;) alert tcp $HOME_NET any -> [20.227.93.232] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519447/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"electrunn.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519449/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kyjej.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519405/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jyjev.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519406/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519406; rev:1;) alert tcp $HOME_NET any -> [1.14.200.238] 3306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519408/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519408; rev:1;) alert tcp $HOME_NET any -> [82.156.105.55] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cyleb.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519419; rev:1;) alert tcp $HOME_NET any -> [104.160.187.230] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519229/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"araucahkbm.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519235/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"posseswsnc.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519236/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"featurlyin.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519237/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 80%)"; dns_query; content:"google-chrome.western-servers.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519259/; target:src_ip; metadata: confidence_level 80, first_seen 2025_05_11; classtype:trojan-activity; sid:91519259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 80%)"; dns_query; content:"www.google-chrome.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519260/; target:src_ip; metadata: confidence_level 80, first_seen 2025_05_11; classtype:trojan-activity; sid:91519260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fiwyj.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519244/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519244; rev:1;) alert tcp $HOME_NET any -> [148.66.2.197] 21 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519258/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flowerexju.bet"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"easterxeen.run"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519234/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wybod.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519227/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519227; rev:1;) alert tcp $HOME_NET any -> [38.207.176.60] 5003 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519228/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519228; rev:1;) alert tcp $HOME_NET any -> [216.219.85.188] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519455/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519455; rev:1;) alert tcp $HOME_NET any -> [118.178.192.36] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519456/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519456; rev:1;) alert tcp $HOME_NET any -> [103.45.68.135] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519454/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519454; rev:1;) alert tcp $HOME_NET any -> [103.45.68.135] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519452/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519452; rev:1;) alert tcp $HOME_NET any -> [118.178.192.36] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519453/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/"; depth:6; nocase; http.host; content:"lofiramegi.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519451/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/"; depth:6; nocase; http.host; content:"topguningit.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519450/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519450; rev:1;) alert tcp $HOME_NET any -> [23.95.197.208] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519448/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519448; rev:1;) alert tcp $HOME_NET any -> [185.208.159.224] 1433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519422/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519422; rev:1;) alert tcp $HOME_NET any -> [154.219.109.205] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519421/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519421; rev:1;) alert tcp $HOME_NET any -> [110.42.45.117] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519420/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_11; classtype:trojan-activity; sid:91519420; rev:1;) alert tcp $HOME_NET any -> [64.23.243.220] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519418/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519418; rev:1;) alert tcp $HOME_NET any -> [51.89.204.75] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519417/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519417; rev:1;) alert tcp $HOME_NET any -> [51.38.140.91] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519416/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sliv.ph4nt0m.fr"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519415/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519415; rev:1;) alert tcp $HOME_NET any -> [93.95.230.53] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519414/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519414; rev:1;) alert tcp $HOME_NET any -> [138.199.162.81] 1961 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519412/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519412; rev:1;) alert tcp $HOME_NET any -> [85.215.107.125] 1231 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519413; rev:1;) alert tcp $HOME_NET any -> [154.198.50.83] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519411/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519411; rev:1;) alert tcp $HOME_NET any -> [67.211.216.77] 3396 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_11; classtype:trojan-activity; sid:91519410; rev:1;) alert tcp $HOME_NET any -> [173.249.12.142] 8443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519407/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519407; rev:1;) alert tcp $HOME_NET any -> [88.234.26.133] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519404/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519404; rev:1;) alert tcp $HOME_NET any -> [70.31.125.66] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519403/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519403; rev:1;) alert tcp $HOME_NET any -> [47.107.84.216] 8080 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519402/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519402; rev:1;) alert tcp $HOME_NET any -> [2.88.153.234] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519401/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519401; rev:1;) alert tcp $HOME_NET any -> [13.57.38.39] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519400/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519400; rev:1;) alert tcp $HOME_NET any -> [193.24.123.86] 443 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519399; rev:1;) alert tcp $HOME_NET any -> [115.79.224.62] 5001 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519397; rev:1;) alert tcp $HOME_NET any -> [115.79.224.62] 6001 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519398; rev:1;) alert tcp $HOME_NET any -> [195.211.191.63] 5938 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519396; rev:1;) alert tcp $HOME_NET any -> [176.65.134.178] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519395; rev:1;) alert tcp $HOME_NET any -> [196.251.80.132] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519394; rev:1;) alert tcp $HOME_NET any -> [176.65.144.95] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519393; rev:1;) alert tcp $HOME_NET any -> [103.157.28.180] 53 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519392; rev:1;) alert tcp $HOME_NET any -> [39.104.202.54] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519390; rev:1;) alert tcp $HOME_NET any -> [209.74.81.22] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qop"; depth:4; nocase; http.host; content:"unlimirxam.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519257/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519257; rev:1;) alert tcp $HOME_NET any -> [78.120.121.167] 1443 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519256/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519256; rev:1;) alert tcp $HOME_NET any -> [196.251.86.25] 1647 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519255/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519255; rev:1;) alert tcp $HOME_NET any -> [154.207.55.13] 13320 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519254/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/akds"; depth:5; nocase; http.host; content:"posseswsnc.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519253/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pdal"; depth:5; nocase; http.host; content:"featurlyin.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519251/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lanz"; depth:5; nocase; http.host; content:"flowerexju.bet"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519252/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zavc"; depth:5; nocase; http.host; content:"easterxeen.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519250/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baneb"; depth:6; nocase; http.host; content:"araucahkbm.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519249/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekp"; depth:5; nocase; http.host; content:"6emeteorplyp.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519248/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ieop"; depth:5; nocase; http.host; content:"winsidegrah.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519247/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kljz"; depth:5; nocase; http.host; content:"4clatteqrpq.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519246/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519246; rev:1;) alert tcp $HOME_NET any -> [51.38.235.129] 8765 (msg:"ThreatFox Unknown Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519245/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519245; rev:1;) alert tcp $HOME_NET any -> [156.244.28.230] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519243/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519243; rev:1;) alert tcp $HOME_NET any -> [103.79.78.186] 80 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519242/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519242; rev:1;) alert tcp $HOME_NET any -> [13.60.69.8] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519241/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519241; rev:1;) alert tcp $HOME_NET any -> [177.0.136.157] 456 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519240/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519240; rev:1;) alert tcp $HOME_NET any -> [190.123.46.143] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519239/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519239; rev:1;) alert tcp $HOME_NET any -> [31.42.184.188] 4042 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519238/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519238; rev:1;) alert tcp $HOME_NET any -> [60.204.236.41] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519231/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519231; rev:1;) alert tcp $HOME_NET any -> [154.90.63.147] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519232/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519232; rev:1;) alert tcp $HOME_NET any -> [123.249.115.106] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519230/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bnaz"; depth:5; nocase; http.host; content:"5voznessxyy.life"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519225/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/woap"; depth:5; nocase; http.host; content:"yodescenrugb.bet"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519226/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gwqz"; depth:5; nocase; http.host; content:"animatcxju.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519224/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"photoreport.roamdetail.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519222/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profilelayout"; depth:14; nocase; http.host; content:"photoreport.roamdetail.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519223/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519223; rev:1;) alert tcp $HOME_NET any -> [47.96.13.97] 3443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519221/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"72.aa.4t.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519219/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"102.97.107.14"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519220/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519220; rev:1;) alert tcp $HOME_NET any -> [147.185.221.28] 27350 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519218/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"hye87lws0.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519217/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/hxaqv6nq"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519216/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519216; rev:1;) alert tcp $HOME_NET any -> [196.251.81.26] 34421 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519215/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mctestnoip0403.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519211/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rep.realmensw.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519212/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sort.realmensw.icu"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519213/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tvq.realmensw.click"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519214/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"huy1612-24727.portmap.io"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519210/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"7sesh-58077.portmap.io"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519209/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nnmirai.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519207/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"takine.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519208/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519208; rev:1;) alert tcp $HOME_NET any -> [37.220.31.27] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519206/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519206; rev:1;) alert tcp $HOME_NET any -> [46.153.191.198] 1166 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519205/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519205; rev:1;) alert tcp $HOME_NET any -> [118.122.8.155] 8839 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519204/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519204; rev:1;) alert tcp $HOME_NET any -> [212.69.167.73] 8081 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519203/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519203; rev:1;) alert tcp $HOME_NET any -> [54.189.129.119] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519202/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519202; rev:1;) alert tcp $HOME_NET any -> [152.110.29.174] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519201/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519201; rev:1;) alert tcp $HOME_NET any -> [156.245.248.224] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519199/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519199; rev:1;) alert tcp $HOME_NET any -> [185.112.83.238] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519200/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519200; rev:1;) alert tcp $HOME_NET any -> [34.169.179.154] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519198/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519198; rev:1;) alert tcp $HOME_NET any -> [185.208.159.224] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519197/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519197; rev:1;) alert tcp $HOME_NET any -> [8.138.46.58] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519196/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_10; classtype:trojan-activity; sid:91519196; rev:1;) alert tcp $HOME_NET any -> [65.109.104.169] 9330 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519195/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kujim.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519175/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zumil.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519177/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519177; rev:1;) alert tcp $HOME_NET any -> [37.114.50.14] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519194/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519194; rev:1;) alert tcp $HOME_NET any -> [161.248.238.20] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519193/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519193; rev:1;) alert tcp $HOME_NET any -> [193.24.123.86] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519192/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519192; rev:1;) alert tcp $HOME_NET any -> [23.146.40.48] 8087 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519191/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519191; rev:1;) alert tcp $HOME_NET any -> [143.92.48.133] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519190; rev:1;) alert tcp $HOME_NET any -> [115.79.224.62] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519188/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519188; rev:1;) alert tcp $HOME_NET any -> [115.79.224.62] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519189/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.195.89.27.37.clients.your-server.de"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519187/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519187; rev:1;) alert tcp $HOME_NET any -> [47.76.241.49] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519186; rev:1;) alert tcp $HOME_NET any -> [102.117.169.121] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519184/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519184; rev:1;) alert tcp $HOME_NET any -> [135.220.0.32] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519185/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519185; rev:1;) alert tcp $HOME_NET any -> [116.99.233.218] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519183/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b95bca55387d2a9ba0d7.webredirect.org"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519181/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519181; rev:1;) alert tcp $HOME_NET any -> [213.199.55.247] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519182/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519182; rev:1;) alert tcp $HOME_NET any -> [45.194.17.148] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519180/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519180; rev:1;) alert tcp $HOME_NET any -> [62.234.92.164] 8085 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519179/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519179; rev:1;) alert tcp $HOME_NET any -> [43.160.199.217] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519178/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519178; rev:1;) alert tcp $HOME_NET any -> [91.151.95.206] 55555 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519176/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519176; rev:1;) alert tcp $HOME_NET any -> [7.132.23.45] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519174/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519174; rev:1;) alert tcp $HOME_NET any -> [117.132.2.131] 10250 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519173/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"soreb.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519172/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519172; rev:1;) alert tcp $HOME_NET any -> [107.173.51.146] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519163; rev:1;) alert tcp $HOME_NET any -> [123.57.69.200] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519164; rev:1;) alert tcp $HOME_NET any -> [194.116.216.107] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519165; rev:1;) alert tcp $HOME_NET any -> [118.184.187.167] 54681 (msg:"ThreatFox Chaos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519171/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519171; rev:1;) alert tcp $HOME_NET any -> [115.79.224.62] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519170; rev:1;) alert tcp $HOME_NET any -> [193.233.254.100] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519169; rev:1;) alert tcp $HOME_NET any -> [81.10.39.58] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519168; rev:1;) alert tcp $HOME_NET any -> [216.250.253.13] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519166; rev:1;) alert tcp $HOME_NET any -> [173.225.102.145] 9774 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juhd"; depth:5; nocase; http.host; content:"xovercovtcg.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519162/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juab"; depth:5; nocase; http.host; content:"sinterpwthc.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519161/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kljz"; depth:5; nocase; http.host; content:"3clatteqrpq.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519160/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aa.hostasa.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519159; rev:1;) alert tcp $HOME_NET any -> [103.254.75.120] 21 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519158/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whois.checkokdomain.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"winrar.monstervp.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/diagnostics.php"; depth:16; nocase; http.host; content:"cbsnaturalway.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wwwsyju.digital"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518911/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sumeriavgv.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518912/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ingratgmit.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518913/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aigjmr.digital"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518914/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"joinfoulnz.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518915/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tendolihyy.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518916/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"labradycau.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518917/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jinglexhsg.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518918/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"villaggcag.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518919/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"famprid.digital"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518920/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"flushelett.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518921/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"triphoy.digital"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518922/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"parftv.digital"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518924/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"genmxz.digital"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518923/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pitchbcmst.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518925/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"inflexcytv.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518926/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sociolimtj.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518927/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"salivanmbm.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518928/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"familyclif.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518929/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stylefnez.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518930/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"parrisrohy.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518931/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"getatasgop.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518932/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"excesskyke.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518933/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"supryov.digital"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518910/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"apxtfy.digital"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518908/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"conynbud.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518909/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qpuppypla.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518907/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chafjx.digital"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518904/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ranjwa.digital"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518905/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"polifd.digital"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518906/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"serldp.digital"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518903/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"herosdecos.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518901/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"transmcvrs.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518902/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"achoerurdv.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518899/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tossdelak.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518900/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"realiseglg.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518898/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"satynp.digital"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518896/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"unlimirxam.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518897/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"missiodowt.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518893/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bearseduic.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518894/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"guineayqfp.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518895/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bringfznnn.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518891/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"groundtusl.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518892/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ealdz.digital"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518887/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"coloniqlhi.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518890/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"slashegqnp.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518888/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mothprjyqw.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518889/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"metropoli.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518886/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91518886; rev:1;) alert tcp $HOME_NET any -> [103.140.154.155] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 80%)"; dns_query; content:"free-vpn.soffts.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519096/; target:src_ip; metadata: confidence_level 80, first_seen 2025_05_10; classtype:trojan-activity; sid:91519096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 95%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/alo-easymail/tr.php"; depth:39; nocase; http.host; content:"send.mycatisanalien.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1519097/; target:src_ip; metadata: confidence_level 95, first_seen 2025_05_10; classtype:trojan-activity; sid:91519097; rev:1;) alert tcp $HOME_NET any -> [54.234.14.241] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519118; rev:1;) alert tcp $HOME_NET any -> [192.254.71.2] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.quickload.cloud"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nvergerghtyh.ihatelv.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-123-60-83-46.compute.hwclouds-dns.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519122; rev:1;) alert tcp $HOME_NET any -> [103.45.68.135] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519123; rev:1;) alert tcp $HOME_NET any -> [212.227.161.204] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519124/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_10; classtype:trojan-activity; sid:91519124; rev:1;) alert tcp $HOME_NET any -> [176.65.142.189] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flow.invstfund.io"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519126; rev:1;) alert tcp $HOME_NET any -> [94.26.90.81] 8883 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519127; rev:1;) alert tcp $HOME_NET any -> [47.116.171.20] 80 (msg:"ThreatFox BlackNET RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519128; rev:1;) alert tcp $HOME_NET any -> [154.12.39.134] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519130; rev:1;) alert tcp $HOME_NET any -> [1.12.248.22] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519131; rev:1;) alert tcp $HOME_NET any -> [18.141.199.143] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519132; rev:1;) alert tcp $HOME_NET any -> [35.138.211.240] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519133; rev:1;) alert tcp $HOME_NET any -> [139.59.222.19] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519134; rev:1;) alert tcp $HOME_NET any -> [20.92.42.222] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519136; rev:1;) alert tcp $HOME_NET any -> [81.30.101.16] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519135; rev:1;) alert tcp $HOME_NET any -> [188.166.116.5] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519137; rev:1;) alert tcp $HOME_NET any -> [193.85.207.30] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519139; rev:1;) alert tcp $HOME_NET any -> [116.203.80.181] 49152 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519138; rev:1;) alert tcp $HOME_NET any -> [148.135.70.146] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519140; rev:1;) alert tcp $HOME_NET any -> [80.79.7.239] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519141; rev:1;) alert tcp $HOME_NET any -> [64.23.243.220] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519142; rev:1;) alert tcp $HOME_NET any -> [148.113.181.20] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519143; rev:1;) alert tcp $HOME_NET any -> [38.147.171.244] 3334 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519144; rev:1;) alert tcp $HOME_NET any -> [13.217.159.41] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519145; rev:1;) alert tcp $HOME_NET any -> [47.123.3.46] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519146; rev:1;) alert tcp $HOME_NET any -> [117.133.20.59] 35597 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519147; rev:1;) alert tcp $HOME_NET any -> [154.247.246.214] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519149; rev:1;) alert tcp $HOME_NET any -> [34.93.46.216] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"security.cliufgurad.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518944/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"totyc.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"memonzi.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518945/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h1.postedtipped.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518879/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taleweaiver.run"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518881/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"valvulnsuq.run"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518880/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rundowrlgr.run"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518882/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daggerpewl.run"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518884/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h1.unlimitedblandness.bet"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518883/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"campylloir.run"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518885/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.iaa-airferight.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518854/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mamiraoniv.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518877/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adingannk.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518878/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.chinaplasticsac.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518853/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fvlc.live"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518849/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ugive.live"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518850/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fyyl.live"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518851/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p.dpard.live"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518852/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hyvin.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518839/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 95%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/background-image-cropper/khxxuq.php"; depth:55; nocase; http.host; content:"ropoclosto.co"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518848/; target:src_ip; metadata: confidence_level 95, first_seen 2025_05_10; classtype:trojan-activity; sid:91518848; rev:1;) alert tcp $HOME_NET any -> [80.66.75.39] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518831/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518831; rev:1;) alert tcp $HOME_NET any -> [180.178.189.3] 427 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518832/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518832; rev:1;) alert tcp $HOME_NET any -> [80.66.75.39] 426 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518830/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91518830; rev:1;) alert tcp $HOME_NET any -> [123.249.16.132] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519153; rev:1;) alert tcp $HOME_NET any -> [45.32.120.166] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519154; rev:1;) alert tcp $HOME_NET any -> [8.141.113.34] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519152; rev:1;) alert tcp $HOME_NET any -> [117.72.56.42] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519151; rev:1;) alert tcp $HOME_NET any -> [49.233.182.30] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519150; rev:1;) alert tcp $HOME_NET any -> [101.108.101.80] 7443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jasad.lol"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519117/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cc6w584kc0zsp.cfc-execute.bj.baidubce.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519116/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"97e790ebyt425.cfc-execute.bj.baidubce.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519115/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_10; classtype:trojan-activity; sid:91519115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xizaf.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1519114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519114; rev:1;) alert tcp $HOME_NET any -> [3.141.231.53] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519113; rev:1;) alert tcp $HOME_NET any -> [179.134.104.251] 9990 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519112; rev:1;) alert tcp $HOME_NET any -> [171.22.28.66] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519111; rev:1;) alert tcp $HOME_NET any -> [196.251.80.135] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519110; rev:1;) alert tcp $HOME_NET any -> [188.132.129.196] 2053 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519108; rev:1;) alert tcp $HOME_NET any -> [103.116.8.240] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519109; rev:1;) alert tcp $HOME_NET any -> [45.149.172.87] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519107; rev:1;) alert tcp $HOME_NET any -> [179.13.7.0] 8020 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519104; rev:1;) alert tcp $HOME_NET any -> [176.65.142.189] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519105; rev:1;) alert tcp $HOME_NET any -> [196.251.114.11] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519106; rev:1;) alert tcp $HOME_NET any -> [188.130.154.246] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519102; rev:1;) alert tcp $HOME_NET any -> [139.59.79.75] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519103; rev:1;) alert tcp $HOME_NET any -> [123.56.187.48] 8008 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519100; rev:1;) alert tcp $HOME_NET any -> [43.167.243.22] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519101; rev:1;) alert tcp $HOME_NET any -> [156.251.179.102] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519098; rev:1;) alert tcp $HOME_NET any -> [8.219.163.113] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1519099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_10; classtype:trojan-activity; sid:91519099; rev:1;) alert tcp $HOME_NET any -> [93.82.29.106] 8000 (msg:"ThreatFox Eye Pyramid botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518943/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518943; rev:1;) alert tcp $HOME_NET any -> [85.102.244.59] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518942/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518942; rev:1;) alert tcp $HOME_NET any -> [70.31.125.66] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518941/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518941; rev:1;) alert tcp $HOME_NET any -> [39.40.186.30] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518940/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518940; rev:1;) alert tcp $HOME_NET any -> [24.158.32.188] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518939/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518939; rev:1;) alert tcp $HOME_NET any -> [20.138.253.27] 448 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518938/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518938; rev:1;) alert tcp $HOME_NET any -> [161.132.68.248] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518937/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518937; rev:1;) alert tcp $HOME_NET any -> [213.209.150.210] 8882 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518935/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lznd"; depth:5; nocase; http.host; content:"rninepicchf.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518934/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518934; rev:1;) alert tcp $HOME_NET any -> [8.141.114.174] 54681 (msg:"ThreatFox Chaos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518876/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518876; rev:1;) alert tcp $HOME_NET any -> [179.13.7.0] 8010 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518875/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518875; rev:1;) alert tcp $HOME_NET any -> [47.119.157.245] 9999 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518874/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518874; rev:1;) alert tcp $HOME_NET any -> [188.132.183.140] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518873/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518873; rev:1;) alert tcp $HOME_NET any -> [102.117.167.141] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518870/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518870; rev:1;) alert tcp $HOME_NET any -> [103.43.75.230] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518871/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mnvzx"; depth:6; nocase; http.host; content:"zmedtipp.live"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518872/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518872; rev:1;) alert tcp $HOME_NET any -> [209.74.81.48] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518869/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518869; rev:1;) alert tcp $HOME_NET any -> [176.65.142.189] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518868/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518868; rev:1;) alert tcp $HOME_NET any -> [176.65.143.147] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518867/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juhd"; depth:5; nocase; http.host; content:"overcovtcg.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518866/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518866; rev:1;) alert tcp $HOME_NET any -> [176.65.141.187] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518864/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518864; rev:1;) alert tcp $HOME_NET any -> [196.251.92.126] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518865/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekp"; depth:5; nocase; http.host; content:"meteorplyp.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518863/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mnbt"; depth:5; nocase; http.host; content:"hunterinrx.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518862/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518862; rev:1;) alert tcp $HOME_NET any -> [8.134.218.67] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518861/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518861; rev:1;) alert tcp $HOME_NET any -> [149.104.25.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518860/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518860; rev:1;) alert tcp $HOME_NET any -> [47.111.109.16] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518858/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518858; rev:1;) alert tcp $HOME_NET any -> [62.113.107.81] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518859/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banj"; depth:5; nocase; http.host; content:"cblackljjwc.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518857/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bgry"; depth:5; nocase; http.host; content:"blackswmxc.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518856/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lznd"; depth:5; nocase; http.host; content:"8ninepicchf.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518855/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"wwwcioudflare.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518847/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qhbu"; depth:5; nocase; http.host; content:"5grizzlqzuk.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518846/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518846; rev:1;) alert tcp $HOME_NET any -> [45.145.41.229] 56905 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518845/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518845; rev:1;) alert tcp $HOME_NET any -> [162.250.188.82] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518844/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518844; rev:1;) alert tcp $HOME_NET any -> [172.86.106.62] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518842/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518842; rev:1;) alert tcp $HOME_NET any -> [154.222.16.194] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518843/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518843; rev:1;) alert tcp $HOME_NET any -> [110.42.45.117] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518841/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518841; rev:1;) alert tcp $HOME_NET any -> [47.97.113.36] 10010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518840/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lznd"; depth:5; nocase; http.host; content:"xninepicchf.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518838/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ieop"; depth:5; nocase; http.host; content:"slinsidegrah.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518837/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ihfd"; depth:5; nocase; http.host; content:"nightloqv.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518836/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ieop"; depth:5; nocase; http.host; content:"kinsidegrah.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518835/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juab"; depth:5; nocase; http.host; content:"interpwthc.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518834/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banj"; depth:5; nocase; http.host; content:"blackljjwc.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518833/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"185.62.56.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518829/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wasar.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518818/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518818; rev:1;) alert tcp $HOME_NET any -> [80.66.75.39] 416 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518819/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518819; rev:1;) alert tcp $HOME_NET any -> [180.178.189.3] 420 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518820/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518820; rev:1;) alert tcp $HOME_NET any -> [180.178.189.3] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518821/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518821; rev:1;) alert tcp $HOME_NET any -> [180.178.189.3] 424 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518823/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518823; rev:1;) alert tcp $HOME_NET any -> [80.66.75.39] 430 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518824/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518824; rev:1;) alert tcp $HOME_NET any -> [80.66.75.39] 427 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518825/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518825; rev:1;) alert tcp $HOME_NET any -> [45.155.206.243] 22 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518826/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518826; rev:1;) alert tcp $HOME_NET any -> [180.178.189.3] 422 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518827/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518827; rev:1;) alert tcp $HOME_NET any -> [80.66.75.39] 425 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518828/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/777/"; depth:5; nocase; http.host; content:"mxblog77.cfd"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518817/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/statweb255/index.php"; depth:21; nocase; http.host; content:"demblog797.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518812/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/statweb255/index.php"; depth:21; nocase; http.host; content:"admlogs457.cfd"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518813/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/statweb255/index.php"; depth:21; nocase; http.host; content:"blogmstat599.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518814/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/statweb255/index.php"; depth:21; nocase; http.host; content:"bloglogs757.cfd"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518815/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/statweb255/index.php"; depth:21; nocase; http.host; content:"pzh1966.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518816/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/statweb255/index.php"; depth:21; nocase; http.host; content:"serverlogs295.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518810/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/statweb255/index.php"; depth:21; nocase; http.host; content:"servblog475.cfd"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518811/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gentle-chebakia-da1172.netlify.app"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518808/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"scintillating-taffy-213dd3.netlify.app"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518809/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9tkuuctbv_u_dz51v3a7eqp5mdcdpinqwhwotingsq1uauwvw5sh/"; depth:54; nocase; http.host; content:"98.177.107.142"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518806/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vq6qtqjss3-rejas-re9rwfh30bypwos6cnirrjzlc36-yn0mcktf-dbnu4r5zvtaxpgcjvaauewfysuwreprrko4nscyllgu/"; depth:99; nocase; http.host; content:"69.55.62.10"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518807/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518807; rev:1;) alert tcp $HOME_NET any -> [34.79.229.30] 8080 (msg:"ThreatFox Chaos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518805/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518805; rev:1;) alert tcp $HOME_NET any -> [2.58.56.24] 7000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518770/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518770; rev:1;) alert tcp $HOME_NET any -> [35.223.112.67] 3389 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518768/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518768; rev:1;) alert tcp $HOME_NET any -> [34.170.250.223] 3389 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518769/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518769; rev:1;) alert tcp $HOME_NET any -> [209.74.81.48] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518767/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518767; rev:1;) alert tcp $HOME_NET any -> [94.85.28.4] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518766/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518766; rev:1;) alert tcp $HOME_NET any -> [13.112.114.65] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518765/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518765; rev:1;) alert tcp $HOME_NET any -> [47.101.187.219] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518764/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ieop"; depth:5; nocase; http.host; content:"hinsidegrah.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518763/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lznd"; depth:5; nocase; http.host; content:"0ninepicchf.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518762/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"a.hbweb.icu"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518761/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lznd"; depth:5; nocase; http.host; content:"wskninepicchf.bet"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518760/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lznd"; depth:5; nocase; http.host; content:"i3ninepicchf.bet"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518759/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zuvul.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518758/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"wwwc1oudflare.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518757/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518757; rev:1;) alert tcp $HOME_NET any -> [5.104.168.62] 80 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518756/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518756; rev:1;) alert tcp $HOME_NET any -> [162.254.86.108] 8085 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518755/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518755; rev:1;) alert tcp $HOME_NET any -> [47.108.39.159] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518754/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"login.kakao-accounts.kro.kr"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518753/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x/api/endpoint.php"; depth:19; nocase; http.host; content:"panel.diicotsec.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518752/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profilelayout"; depth:14; nocase; http.host; content:"cpanel.santechplumbing.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518749/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"panel.diicotsec.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518751/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auto.zerodaypool.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518750/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsna"; depth:5; nocase; http.host; content:"searchilyo.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518748/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bafy"; depth:5; nocase; http.host; content:"qhdatawavej.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518747/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bnbd"; depth:5; nocase; http.host; content:"pnoxajb.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518746/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kljz"; depth:5; nocase; http.host; content:"lvclatteqrpq.digital"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518745/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gantb"; depth:6; nocase; http.host; content:"insulaey.live"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518744/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kljz"; depth:5; nocase; http.host; content:"dclatteqrpq.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518743/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/werrp"; depth:6; nocase; http.host; content:"6civitasu.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518742/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v3//receive.php"; depth:16; nocase; http.host; content:"diicotsec.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518741/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/animenet/login.php"; depth:19; nocase; http.host; content:"diicotsec.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518739/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v3/login.php"; depth:13; nocase; http.host; content:"diicotsec.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518740/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jse/minjs.js"; depth:13; nocase; http.host; content:"my-privatebanker.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518732/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"my-privatebanker.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518733/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jse/select.js"; depth:14; nocase; http.host; content:"my-privatebanker.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518734/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rsrs.zip"; depth:9; nocase; http.host; content:"jaagnet.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518736/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jse/xxx.php"; depth:12; nocase; http.host; content:"my-privatebanker.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518735/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jaagnet.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518737/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"sleetpotato.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518738/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"172.171.241.227"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518731/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent.exe"; depth:10; nocase; http.host; content:"210.125.101.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518730/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/billi_e58d74e455634dc695ed8a7b8b320325.exe"; depth:47; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518728/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msf.exe"; depth:8; nocase; http.host; content:"qiniuyunxz.yxflzs.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518729/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"quaestort.live"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518726/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sidebyafzy.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518727/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"wwwcloudfiare.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518725/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518725; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 64972 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518723/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518723; rev:1;) alert tcp $HOME_NET any -> [209.54.102.133] 8078 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518724/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mohamed1321-64972.portmap.io"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518722/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/qd7huvef"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518721/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518721; rev:1;) alert tcp $HOME_NET any -> [196.251.115.185] 43213 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518719/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518719; rev:1;) alert tcp $HOME_NET any -> [20.121.52.1] 5708 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518720/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"elrey051526.kozow.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518713/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"selectbrasil.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518714/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"wealthybillionaireman.duckdns.org"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518715/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.assanalumlnyum.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518716/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ees-ro.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518717/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.sermansilian.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518718/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"linda991.mywire.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518712/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"botnet.fkgpt.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518709/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ccn.fdstat.vip"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518710/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ssro.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518711/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518711; rev:1;) alert tcp $HOME_NET any -> [45.145.41.229] 2130 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518706/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518706; rev:1;) alert tcp $HOME_NET any -> [45.145.41.229] 2137 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518707/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518707; rev:1;) alert tcp $HOME_NET any -> [45.145.41.229] 3232 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518708/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ipzsfhmzc.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518700/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"naplet21-56905.portmap.io"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518701/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ratrat2-21846.portmap.io"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518702/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ratrat2-28358.portmap.io"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518703/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ratrat2-28891.portmap.io"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518704/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ratrat2-33149.portmap.io"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518705/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"floatboatin.ydns.eu"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518699/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"login.kakao-accounts.kro.kr"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518698/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pilivoqv.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518697/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"din.akurasiibl.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518696/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"proprtrmsvstr.world"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518695/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"admin-extr-net.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518694/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"solara-support.github.io"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518693/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d"; depth:2; nocase; http.host; content:"185.147.124.212"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518692/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"217.154.22.37"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518691/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"privatunis.cfd"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zmedtipp.live"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"overcovtcg.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackswmxc.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"124.70.158.176"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518687/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"216.83.42.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518686/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"217.197.162.241"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518685/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"45.145.228.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518684/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"47.96.179.5"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518682/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518682; rev:1;) alert tcp $HOME_NET any -> [91.132.139.150] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518681/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518681; rev:1;) alert tcp $HOME_NET any -> [3.96.141.164] 11300 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518680/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518680; rev:1;) alert tcp $HOME_NET any -> [180.178.189.3] 426 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518656/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518656; rev:1;) alert tcp $HOME_NET any -> [180.178.189.3] 419 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518673; rev:1;) alert tcp $HOME_NET any -> [209.141.33.132] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518679/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518679; rev:1;) alert tcp $HOME_NET any -> [18.237.255.148] 13 (msg:"ThreatFox BlackShades botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518678/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518678; rev:1;) alert tcp $HOME_NET any -> [213.155.195.70] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518677/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518677; rev:1;) alert tcp $HOME_NET any -> [160.25.7.206] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518676/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518676; rev:1;) alert tcp $HOME_NET any -> [185.75.240.211] 4443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518675/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518675; rev:1;) alert tcp $HOME_NET any -> [212.69.167.73] 8443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518674/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518674; rev:1;) alert tcp $HOME_NET any -> [54.218.66.197] 2379 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518671/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518671; rev:1;) alert tcp $HOME_NET any -> [157.175.54.222] 13 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518672/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518672; rev:1;) alert tcp $HOME_NET any -> [118.122.8.155] 1650 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518669/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518669; rev:1;) alert tcp $HOME_NET any -> [13.231.55.89] 50100 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518670/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518670; rev:1;) alert tcp $HOME_NET any -> [89.111.173.134] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518668/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518668; rev:1;) alert tcp $HOME_NET any -> [5.35.125.77] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518666/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518666; rev:1;) alert tcp $HOME_NET any -> [178.128.214.21] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518667/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518667; rev:1;) alert tcp $HOME_NET any -> [196.251.116.232] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518663/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518663; rev:1;) alert tcp $HOME_NET any -> [23.95.247.74] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518664/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518664; rev:1;) alert tcp $HOME_NET any -> [34.87.122.145] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518665/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518665; rev:1;) alert tcp $HOME_NET any -> [35.200.198.66] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518662/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518662; rev:1;) alert tcp $HOME_NET any -> [211.86.146.70] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518661/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518661; rev:1;) alert tcp $HOME_NET any -> [86.107.101.112] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518660/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518660; rev:1;) alert tcp $HOME_NET any -> [18.254.72.220] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518658/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518658; rev:1;) alert tcp $HOME_NET any -> [158.247.206.56] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518659/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518659; rev:1;) alert tcp $HOME_NET any -> [34.169.179.154] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518657/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ib4zuemtzfv831zg2hsjrlsntuq8fj6q0-jabcv4v6g"; depth:44; nocase; http.host; content:"packedbrick.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518634/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518634; rev:1;) alert tcp $HOME_NET any -> [180.178.189.3] 416 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518639/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518639; rev:1;) alert tcp $HOME_NET any -> [80.66.75.39] 418 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518635/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518635; rev:1;) alert tcp $HOME_NET any -> [80.66.75.39] 428 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518636/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.santechplumbing.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518637/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"huliq.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518638; rev:1;) alert tcp $HOME_NET any -> [80.66.75.39] 422 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518640/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518640; rev:1;) alert tcp $HOME_NET any -> [180.178.189.3] 429 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518641; rev:1;) alert tcp $HOME_NET any -> [180.178.189.3] 423 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518643; rev:1;) alert tcp $HOME_NET any -> [80.66.75.39] 429 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518642/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518642; rev:1;) alert tcp $HOME_NET any -> [80.66.75.39] 421 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518644; rev:1;) alert tcp $HOME_NET any -> [180.178.189.3] 425 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518645; rev:1;) alert tcp $HOME_NET any -> [80.66.75.39] 424 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518646; rev:1;) alert tcp $HOME_NET any -> [180.178.189.3] 417 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518647/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518647; rev:1;) alert tcp $HOME_NET any -> [180.178.189.3] 430 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518650; rev:1;) alert tcp $HOME_NET any -> [80.66.75.39] 419 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518648; rev:1;) alert tcp $HOME_NET any -> [180.178.189.3] 428 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518649; rev:1;) alert tcp $HOME_NET any -> [80.66.75.39] 423 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518652/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518652; rev:1;) alert tcp $HOME_NET any -> [180.178.189.3] 421 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518653; rev:1;) alert tcp $HOME_NET any -> [180.178.189.3] 418 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518654; rev:1;) alert tcp $HOME_NET any -> [80.66.75.39] 417 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518655/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518655; rev:1;) alert tcp $HOME_NET any -> [196.251.118.131] 2005 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518651/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518651; rev:1;) alert tcp $HOME_NET any -> [62.217.178.168] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518633/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518633; rev:1;) alert tcp $HOME_NET any -> [39.101.75.126] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518632/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518632; rev:1;) alert tcp $HOME_NET any -> [166.88.100.85] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518631/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518631; rev:1;) alert tcp $HOME_NET any -> [154.219.109.205] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518630/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518630; rev:1;) alert tcp $HOME_NET any -> [121.37.25.79] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518629/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518629; rev:1;) alert tcp $HOME_NET any -> [113.45.225.150] 8899 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518628/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518628; rev:1;) alert tcp $HOME_NET any -> [103.171.35.26] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518627/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.tsesec.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518626/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qq.vnifnifnie.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518625/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cntax.it.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518624/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"afn00ws82z1yf.cfc-execute.bj.baidubce.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518623/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ponek.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518587/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518587; rev:1;) alert tcp $HOME_NET any -> [218.30.103.224] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518592/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518592; rev:1;) alert tcp $HOME_NET any -> [54.157.200.163] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518593/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518593; rev:1;) alert tcp $HOME_NET any -> [101.201.80.60] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518595/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gaoh"; depth:5; nocase; http.host; content:"bulgecont.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518622/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518622; rev:1;) alert tcp $HOME_NET any -> [47.109.83.12] 7100 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518621/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518621; rev:1;) alert tcp $HOME_NET any -> [115.79.224.62] 6000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518619/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518619; rev:1;) alert tcp $HOME_NET any -> [193.233.113.35] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518620/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518620; rev:1;) alert tcp $HOME_NET any -> [34.9.238.133] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518617/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518617; rev:1;) alert tcp $HOME_NET any -> [34.9.238.133] 3389 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518618/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518618; rev:1;) alert tcp $HOME_NET any -> [212.232.22.202] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518615/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518615; rev:1;) alert tcp $HOME_NET any -> [34.173.145.169] 3389 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518616/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518616; rev:1;) alert tcp $HOME_NET any -> [46.202.166.197] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518614; rev:1;) alert tcp $HOME_NET any -> [193.233.254.100] 2053 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518613/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518613; rev:1;) alert tcp $HOME_NET any -> [196.251.86.13] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518612/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518612; rev:1;) alert tcp $HOME_NET any -> [128.90.113.42] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518610/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518610; rev:1;) alert tcp $HOME_NET any -> [196.251.73.133] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518611/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518611; rev:1;) alert tcp $HOME_NET any -> [3.239.212.84] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518608/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518608; rev:1;) alert tcp $HOME_NET any -> [128.90.113.42] 4000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518609/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518609; rev:1;) alert tcp $HOME_NET any -> [45.129.3.220] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518607/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_09; classtype:trojan-activity; sid:91518607; rev:1;) alert tcp $HOME_NET any -> [78.141.221.31] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518606/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_09; classtype:trojan-activity; sid:91518606; rev:1;) alert tcp $HOME_NET any -> [121.37.189.77] 9100 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518604/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518604; rev:1;) alert tcp $HOME_NET any -> [157.245.103.84] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518605/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518605; rev:1;) alert tcp $HOME_NET any -> [162.246.185.77] 4699 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518601/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518601; rev:1;) alert tcp $HOME_NET any -> [188.93.233.101] 8443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518602/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518602; rev:1;) alert tcp $HOME_NET any -> [78.70.235.238] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518603/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518603; rev:1;) alert tcp $HOME_NET any -> [196.251.85.124] 2004 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518600/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518600; rev:1;) alert tcp $HOME_NET any -> [43.139.240.201] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518599/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518599; rev:1;) alert tcp $HOME_NET any -> [121.40.159.30] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518598/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518598; rev:1;) alert tcp $HOME_NET any -> [154.12.20.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518597/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518597; rev:1;) alert tcp $HOME_NET any -> [103.241.74.243] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518596/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toibnh"; depth:7; nocase; http.host; content:"taleweaiver.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518591/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewqd"; depth:5; nocase; http.host; content:"sjawdedmirror.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518590/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qopy"; depth:5; nocase; http.host; content:"fowlflright.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518589/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518589; rev:1;) alert tcp $HOME_NET any -> [103.140.154.111] 2443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518588/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meteorplyp.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518583/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cokok.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518582/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackljjwc.run"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518585/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"interpwthc.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518584/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"demuq.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518586/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/drive/"; depth:7; nocase; http.host; content:"architrata.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518579/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/drive/"; depth:7; nocase; http.host; content:"carflotyup.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518580/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518580; rev:1;) alert tcp $HOME_NET any -> [103.77.241.3] 2023 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518581/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"curol.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518556/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ximyt.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518558/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518558; rev:1;) alert tcp $HOME_NET any -> [75.119.159.249] 8082 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518578/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nervous-mccarthy.154-53-165-98.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518577/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518577; rev:1;) alert tcp $HOME_NET any -> [3.25.173.186] 82 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518575/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518575; rev:1;) alert tcp $HOME_NET any -> [3.25.173.186] 2082 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518576/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518576; rev:1;) alert tcp $HOME_NET any -> [172.86.110.217] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518573; rev:1;) alert tcp $HOME_NET any -> [172.86.110.217] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518574/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"185-143-241-98.verelox.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518571/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518571; rev:1;) alert tcp $HOME_NET any -> [196.251.86.20] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518572/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518572; rev:1;) alert tcp $HOME_NET any -> [188.132.183.140] 2053 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518569/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518569; rev:1;) alert tcp $HOME_NET any -> [103.116.8.240] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518570/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srv35062473.ultasrv.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518568/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518568; rev:1;) alert tcp $HOME_NET any -> [149.248.51.122] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518566/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518566; rev:1;) alert tcp $HOME_NET any -> [31.172.74.201] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518567/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518567; rev:1;) alert tcp $HOME_NET any -> [196.251.114.11] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518564/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518564; rev:1;) alert tcp $HOME_NET any -> [196.251.114.11] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518565/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518565; rev:1;) alert tcp $HOME_NET any -> [94.26.90.69] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518563/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518563; rev:1;) alert tcp $HOME_NET any -> [20.2.234.165] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518562; rev:1;) alert tcp $HOME_NET any -> [43.139.240.201] 8389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518561/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518561; rev:1;) alert tcp $HOME_NET any -> [38.165.21.124] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518560/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518560; rev:1;) alert tcp $HOME_NET any -> [167.99.76.115] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518559/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"146.158.127.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518557/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_09; classtype:trojan-activity; sid:91518557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ieop"; depth:5; nocase; http.host; content:"vinsidegrah.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518555/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqba"; depth:5; nocase; http.host; content:"rhomewappzb.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518554/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qhbu"; depth:5; nocase; http.host; content:"kgrizzlqzuk.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518553/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518553; rev:1;) alert tcp $HOME_NET any -> [178.128.251.127] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518542/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518542; rev:1;) alert tcp $HOME_NET any -> [54.154.114.105] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518543/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518543; rev:1;) alert tcp $HOME_NET any -> [91.99.15.48] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518544/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518544; rev:1;) alert tcp $HOME_NET any -> [15.228.82.215] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518545/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518545; rev:1;) alert tcp $HOME_NET any -> [154.247.240.8] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518546/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518546; rev:1;) alert tcp $HOME_NET any -> [213.157.40.164] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518538/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518538; rev:1;) alert tcp $HOME_NET any -> [149.104.28.134] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518539/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518539; rev:1;) alert tcp $HOME_NET any -> [38.128.250.180] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518540/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518540; rev:1;) alert tcp $HOME_NET any -> [161.35.207.1] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518541/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518541; rev:1;) alert tcp $HOME_NET any -> [93.125.114.39] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518537/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518537; rev:1;) alert tcp $HOME_NET any -> [47.108.140.10] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518529/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518529; rev:1;) alert tcp $HOME_NET any -> [123.56.187.48] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518531/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518531; rev:1;) alert tcp $HOME_NET any -> [120.46.183.147] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518530/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freeresolve.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518526/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518526; rev:1;) alert tcp $HOME_NET any -> [143.92.48.137] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518528/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tempoestil.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518525/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518525; rev:1;) alert tcp $HOME_NET any -> [188.55.203.226] 1337 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518527/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518527; rev:1;) alert tcp $HOME_NET any -> [43.242.200.223] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518524/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518524; rev:1;) alert tcp $HOME_NET any -> [202.95.12.160] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518522/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518522; rev:1;) alert tcp $HOME_NET any -> [156.245.28.75] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518523/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518523; rev:1;) alert tcp $HOME_NET any -> [209.141.51.24] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518520/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518520; rev:1;) alert tcp $HOME_NET any -> [124.220.205.147] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518521/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nhf7/phbf.exe"; depth:14; nocase; http.host; content:"213.226.113.234"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518504/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"micuh.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518516/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518516; rev:1;) alert tcp $HOME_NET any -> [158.247.206.56] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518519/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hyvur.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518499/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518499; rev:1;) alert tcp $HOME_NET any -> [213.226.113.234] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518503/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"security.guradclaouds.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518497/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"security.clauodgaards.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518498/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518498; rev:1;) alert tcp $HOME_NET any -> [140.143.205.14] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518474/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518474; rev:1;) alert tcp $HOME_NET any -> [118.195.134.148] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518475/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kahox.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518472/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518472; rev:1;) alert tcp $HOME_NET any -> [47.242.152.186] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518473/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sukum.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518469/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"129.226.189.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518471/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518471; rev:1;) alert tcp $HOME_NET any -> [62.234.92.164] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518552/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518552; rev:1;) alert tcp $HOME_NET any -> [113.45.7.54] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518551/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518551; rev:1;) alert tcp $HOME_NET any -> [8.155.7.173] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518550/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kljz"; depth:5; nocase; http.host; content:"lclatteqrpq.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518549/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmgj"; depth:5; nocase; http.host; content:"kaeneasq.live"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518548/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqba"; depth:5; nocase; http.host; content:"4homewappzb.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518547/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518547; rev:1;) alert tcp $HOME_NET any -> [167.86.171.34] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518533/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518533; rev:1;) alert tcp $HOME_NET any -> [51.20.131.192] 44819 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518534/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518534; rev:1;) alert tcp $HOME_NET any -> [13.247.67.85] 32963 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518535/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518535; rev:1;) alert tcp $HOME_NET any -> [13.247.67.85] 47163 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518536/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518536; rev:1;) alert tcp $HOME_NET any -> [102.100.72.239] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518532/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518532; rev:1;) alert tcp $HOME_NET any -> [38.46.14.202] 27987 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518518/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518518; rev:1;) alert tcp $HOME_NET any -> [202.95.8.144] 7081 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518517/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rpc"; depth:4; nocase; http.host; content:"8.130.132.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518515/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_09; classtype:trojan-activity; sid:91518515; rev:1;) alert tcp $HOME_NET any -> [94.198.40.6] 20024 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518514/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518514; rev:1;) alert tcp $HOME_NET any -> [51.12.242.29] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518513/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518513; rev:1;) alert tcp $HOME_NET any -> [143.92.48.130] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518512/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518512; rev:1;) alert tcp $HOME_NET any -> [213.209.150.210] 8883 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518511/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518511; rev:1;) alert tcp $HOME_NET any -> [188.132.129.196] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518510/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518510; rev:1;) alert tcp $HOME_NET any -> [45.81.23.113] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518509/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518509; rev:1;) alert tcp $HOME_NET any -> [77.221.158.154] 31999 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518508/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518508; rev:1;) alert tcp $HOME_NET any -> [38.55.192.237] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518507/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518507; rev:1;) alert tcp $HOME_NET any -> [84.46.236.55] 18080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518506/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_09; classtype:trojan-activity; sid:91518506; rev:1;) alert tcp $HOME_NET any -> [213.226.113.235] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518505/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518505; rev:1;) alert tcp $HOME_NET any -> [167.86.109.240] 8888 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518502/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"olympusgo.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518501/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmgj"; depth:5; nocase; http.host; content:"raeneasq.live"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518500/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518500; rev:1;) alert tcp $HOME_NET any -> [70.31.125.238] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518496/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518496; rev:1;) alert tcp $HOME_NET any -> [43.141.130.132] 10250 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518495/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518495; rev:1;) alert tcp $HOME_NET any -> [189.140.41.58] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518494/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518494; rev:1;) alert tcp $HOME_NET any -> [158.160.26.151] 1720 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518493/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518493; rev:1;) alert tcp $HOME_NET any -> [116.26.10.55] 36166 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518492/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518492; rev:1;) alert tcp $HOME_NET any -> [185.195.64.68] 443 (msg:"ThreatFox WarmCookie botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518491/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518491; rev:1;) alert tcp $HOME_NET any -> [103.159.50.30] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518490/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518490; rev:1;) alert tcp $HOME_NET any -> [101.226.27.147] 4506 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518489/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518489; rev:1;) alert tcp $HOME_NET any -> [199.247.6.61] 80 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518488/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fsdlaowaa.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518487/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mskisdakw.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518486/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518486; rev:1;) alert tcp $HOME_NET any -> [172.171.241.227] 8787 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518485/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518485; rev:1;) alert tcp $HOME_NET any -> [54.187.139.165] 113 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518484/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518484; rev:1;) alert tcp $HOME_NET any -> [52.79.126.186] 11872 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518483/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518483; rev:1;) alert tcp $HOME_NET any -> [45.80.158.238] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518482/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518482; rev:1;) alert tcp $HOME_NET any -> [196.251.118.253] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518480/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518480; rev:1;) alert tcp $HOME_NET any -> [176.65.134.77] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518481/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518481; rev:1;) alert tcp $HOME_NET any -> [116.62.30.120] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518479/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518479; rev:1;) alert tcp $HOME_NET any -> [5.35.125.77] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518478/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518478; rev:1;) alert tcp $HOME_NET any -> [212.69.86.8] 5061 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518477/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518477; rev:1;) alert tcp $HOME_NET any -> [47.109.190.151] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518476/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518476; rev:1;) alert tcp $HOME_NET any -> [103.12.149.123] 8080 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518470/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518470; rev:1;) alert tcp $HOME_NET any -> [77.232.38.204] 37215 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518468/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fecif.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518467/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fanpuy.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518457/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"minak.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518464/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518464; rev:1;) alert tcp $HOME_NET any -> [39.105.6.249] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518466/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518466; rev:1;) alert tcp $HOME_NET any -> [113.44.132.115] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518465/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518465; rev:1;) alert tcp $HOME_NET any -> [18.133.246.144] 1244 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518463/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518463; rev:1;) alert tcp $HOME_NET any -> [202.95.14.161] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518462/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518462; rev:1;) alert tcp $HOME_NET any -> [196.251.71.236] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518461/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518461; rev:1;) alert tcp $HOME_NET any -> [89.111.173.134] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518460/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518460; rev:1;) alert tcp $HOME_NET any -> [185.49.126.223] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518458/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518458; rev:1;) alert tcp $HOME_NET any -> [45.13.38.142] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518459/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518459; rev:1;) alert tcp $HOME_NET any -> [166.88.100.85] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518456/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518456; rev:1;) alert tcp $HOME_NET any -> [149.88.71.241] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518454/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518454; rev:1;) alert tcp $HOME_NET any -> [154.204.35.210] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518455/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"genow.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518453/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sohaeidacademy.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518451/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myspecialdot.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518447/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sihen.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518442/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518442; rev:1;) alert tcp $HOME_NET any -> [137.220.135.67] 6064 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518441/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jodob.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518440/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2providertemporaryprivate/httpapitemporary6/4publicsecureauth/lowwindows/9/lowjsvoiddb/temporaryproton/videojavascripthttpserverprotectflowergeneratortrafficuploadsdownloads.php"; depth:178; nocase; http.host; content:"92.63.102.85"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518439/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mehig.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518429/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518429; rev:1;) alert tcp $HOME_NET any -> [196.251.117.50] 5213 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518438/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qhbu"; depth:5; nocase; http.host; content:"ggrizzlqzuk.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518437/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ieop"; depth:5; nocase; http.host; content:"finsidegrah.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518436/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwio"; depth:5; nocase; http.host; content:"8stuffgull.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518435/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bnaz"; depth:5; nocase; http.host; content:"voznessxyy.life"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518434/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kljz"; depth:5; nocase; http.host; content:"tclatteqrpq.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518433/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lznd"; depth:5; nocase; http.host; content:"ninepicchf.bet"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518432/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kljz"; depth:5; nocase; http.host; content:"clatteqrpq.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518431/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqba"; depth:5; nocase; http.host; content:"3homewappzb.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518430/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"wishspy.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518428/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"appli-cff.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518427/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cagom.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518426/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"daqev.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profilelayout"; depth:14; nocase; http.host; content:"www.thefertilemine.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518424; rev:1;) alert tcp $HOME_NET any -> [166.88.164.201] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518425/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518425; rev:1;) alert tcp $HOME_NET any -> [160.30.44.124] 2023 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518421; rev:1;) alert tcp $HOME_NET any -> [160.30.44.174] 2023 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518422; rev:1;) alert tcp $HOME_NET any -> [77.90.153.228] 443 (msg:"ThreatFox Coper botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518420/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"53d6c5e5e04f7e079df5d5d77bc259ea.us"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jse/minjs.js"; depth:13; nocase; http.host; content:"motocyclenews.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518411/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jse/select.js"; depth:14; nocase; http.host; content:"motocyclenews.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log/in"; depth:7; nocase; http.host; content:"johnoton.live"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"johnoton.live"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"motocyclenews.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518412/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jse/lll.php"; depth:12; nocase; http.host; content:"motocyclenews.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518414/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/buts.zip"; depth:9; nocase; http.host; content:"territoirespaysagistes.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518415/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"territoirespaysagistes.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518416/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ttxch.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518417/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.thefertilemine.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518418/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mobile-cff.app"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518408/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518408; rev:1;) alert tcp $HOME_NET any -> [111.230.233.129] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518407/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mzrln.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518388/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xnzbd"; depth:6; nocase; http.host; content:"taskrunp.run"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518405/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wizardly-cannon.51-195-229-85.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518404/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518404; rev:1;) alert tcp $HOME_NET any -> [154.201.90.76] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518403/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518403; rev:1;) alert tcp $HOME_NET any -> [23.26.201.169] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518402/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518402; rev:1;) alert tcp $HOME_NET any -> [15.152.54.240] 20547 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518401; rev:1;) alert tcp $HOME_NET any -> [75.119.159.249] 8000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518399; rev:1;) alert tcp $HOME_NET any -> [31.220.44.127] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"setup.bestoffersfortoday.store"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"37-72-168-146.static.hvvc.us"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518398; rev:1;) alert tcp $HOME_NET any -> [45.61.165.249] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518396; rev:1;) alert tcp $HOME_NET any -> [92.63.100.74] 33949 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518395; rev:1;) alert tcp $HOME_NET any -> [43.139.240.201] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518394; rev:1;) alert tcp $HOME_NET any -> [139.224.30.125] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518393; rev:1;) alert tcp $HOME_NET any -> [103.140.154.238] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518391; rev:1;) alert tcp $HOME_NET any -> [47.107.49.44] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518392; rev:1;) alert tcp $HOME_NET any -> [202.95.12.160] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518389/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518389; rev:1;) alert tcp $HOME_NET any -> [116.62.205.141] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"snhnv.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518378/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noxajb.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518379/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"voznessxyy.life"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clatteqrpq.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ninepicchf.bet"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518382/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log/in"; depth:7; nocase; http.host; content:"colliel.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518383/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"colliel.live"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518384/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fhtnt.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518385/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xtkdt.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518386/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518386; rev:1;) alert tcp $HOME_NET any -> [81.17.20.66] 4431 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518387/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nshpd.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518377/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518377; rev:1;) alert tcp $HOME_NET any -> [110.41.60.33] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518376/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518376; rev:1;) alert tcp $HOME_NET any -> [95.135.153.175] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518375/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"npknn.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518374/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"life.judyfay.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518373/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"lenovo-sync.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518372/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"spec.gl.at.ply.gg"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518371/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518371; rev:1;) alert tcp $HOME_NET any -> [46.101.236.176] 1853 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518369/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518369; rev:1;) alert tcp $HOME_NET any -> [79.110.62.113] 4836 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518370/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"botnet.ethoneservices.xyz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518368/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"jamesrockky.ydns.eu"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518365/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"riches20.kozow.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518366/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"steveswiths.freemyip.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518367/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qmzks.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518362/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518362; rev:1;) alert tcp $HOME_NET any -> [47.129.144.57] 636 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518364/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518364; rev:1;) alert tcp $HOME_NET any -> [134.199.169.177] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518363/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518363; rev:1;) alert tcp $HOME_NET any -> [167.172.94.208] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518361/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518361; rev:1;) alert tcp $HOME_NET any -> [120.26.243.135] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518360/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518360; rev:1;) alert tcp $HOME_NET any -> [66.42.44.50] 53 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518359/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518359; rev:1;) alert tcp $HOME_NET any -> [27.102.127.136] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518357/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518357; rev:1;) alert tcp $HOME_NET any -> [89.40.31.225] 9373 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518358/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518358; rev:1;) alert tcp $HOME_NET any -> [154.219.119.63] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518356/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518356; rev:1;) alert tcp $HOME_NET any -> [121.36.228.26] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518355/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518355; rev:1;) alert tcp $HOME_NET any -> [91.200.14.226] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518354/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerjavascriptupdategamebigloaddblinux.php"; depth:47; nocase; http.host; content:"kruasanpcs.mywebcommunity.org"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518353/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"103.74.101.88"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518352/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"85.192.48.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518351/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xkpdf.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518337/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518337; rev:1;) alert tcp $HOME_NET any -> [117.209.241.134] 49682 (msg:"ThreatFox Mozi botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518350/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518350; rev:1;) alert tcp $HOME_NET any -> [15.222.3.45] 12112 (msg:"ThreatFox BlackShades botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518349/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518349; rev:1;) alert tcp $HOME_NET any -> [220.71.102.113] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518348/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518348; rev:1;) alert tcp $HOME_NET any -> [158.247.207.197] 443 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518347/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518347; rev:1;) alert tcp $HOME_NET any -> [158.247.202.109] 443 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518346/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518346; rev:1;) alert tcp $HOME_NET any -> [51.21.245.196] 12284 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518345/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518345; rev:1;) alert tcp $HOME_NET any -> [37.72.168.146] 10443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518343/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518343; rev:1;) alert tcp $HOME_NET any -> [169.150.155.228] 55553 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518344/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518344; rev:1;) alert tcp $HOME_NET any -> [15.168.9.236] 2002 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518341/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518341; rev:1;) alert tcp $HOME_NET any -> [176.82.189.27] 6001 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518342/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518342; rev:1;) alert tcp $HOME_NET any -> [24.199.73.199] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518339/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518339; rev:1;) alert tcp $HOME_NET any -> [158.247.218.220] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518340/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518340; rev:1;) alert tcp $HOME_NET any -> [185.196.11.181] 9922 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518338/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwio"; depth:5; nocase; http.host; content:"mstuffgull.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518336/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mben"; depth:5; nocase; http.host; content:"joctalfbsh.bet"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518335/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518335; rev:1;) alert tcp $HOME_NET any -> [43.132.216.81] 635 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518334/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqiw"; depth:5; nocase; http.host; content:"3k0monemiltxny.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518332/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mben"; depth:5; nocase; http.host; content:"3yoctalfbsh.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518333/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pmglw.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518330/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518330; rev:1;) alert tcp $HOME_NET any -> [176.65.141.210] 15390 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518331/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"51.195.229.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518318/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rkblm.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518319/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqba"; depth:5; nocase; http.host; content:"ohomewappzb.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518329/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wrqo"; depth:5; nocase; http.host; content:"mariosefqcu.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518328/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"egiftshop.cloud"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518321/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"highcouncipl.live"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518322/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tapandshop.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518323/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tavernfolkk.run"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518324/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"towerstozne.run"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518325/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unmutezcx.live"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518326/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"viscosityobserving.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518327/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"ctortoisgfe.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518320/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"djrtt.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518302; rev:1;) alert tcp $HOME_NET any -> [147.79.20.62] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518317/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518317; rev:1;) alert tcp $HOME_NET any -> [101.37.80.173] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518316/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518316; rev:1;) alert tcp $HOME_NET any -> [47.92.216.212] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518315/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518315; rev:1;) alert tcp $HOME_NET any -> [43.251.100.146] 8086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518314/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518314; rev:1;) alert tcp $HOME_NET any -> [150.158.108.220] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518313/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atok"; depth:5; nocase; http.host; content:"tremelzxiy.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518312/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kazd"; depth:5; nocase; http.host; content:"oorijinalecza.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518311/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qhbu"; depth:5; nocase; http.host; content:"grizzlqzuk.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518310/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qhbu"; depth:5; nocase; http.host; content:"egrizzlqzuk.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518309/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pwq"; depth:4; nocase; http.host; content:"apronsxrum.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518308/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mben"; depth:5; nocase; http.host; content:"9octalfbsh.bet"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518307/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"preyinthewild.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518306/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"persongiants.icu"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518305/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"brotherreligion.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oils.php"; depth:9; nocase; http.host; content:"troublesisters.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518304; rev:1;) alert tcp $HOME_NET any -> [8.138.46.58] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518298/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518298; rev:1;) alert tcp $HOME_NET any -> [20.205.16.222] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/front.php"; depth:10; nocase; http.host; content:"baleturn.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/diagnostics.php"; depth:16; nocase; http.host; content:"fmecoutsm.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518301/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xmlvm.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518297/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a1106686.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"df-www.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518128/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"en-koinly.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518129/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"metatradar5.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518130/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"optislgns.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518131/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"paychex-us.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518132/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"www.qik.su"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518134/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"bbvanetcashs.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518133/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"4kdownloadl.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518135/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"techsmlth.store"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518136/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"ccieaner.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518137/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"koinly-en.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518138/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"zoho-us.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518139/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"dv-www.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518140/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"en-payroll.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518141/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"easycrypto.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518142/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"www.dp-www.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518143/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"www.cisco-us.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518144/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"audacltyteam.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518145/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"cllcktime.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518146/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"quantower.site"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518147/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"quantower.pw"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518148/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"adoobes.store"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518149/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"sportsenginec.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518150/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"apachefrlends.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518151/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"dk-www.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518152/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"xrpscan-en.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518153/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"coinomi.pw"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518154/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"en-sdccu.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518155/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"monadls.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518156/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"web-chatgpt.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518157/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"ccieaner.store"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518158/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"www.drr-www.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518159/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"metatradar5.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518160/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"keepassw.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518161/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"web.guarda.pw"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518162/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"floridarealestatechool.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518163/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"www.dq-www.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518164/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"www.dy-www.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518165/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"bot.installs.pro"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518166/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"web-silkai.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518167/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"wasabiwallet.pw"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518168/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"moblsystems.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518169/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"openofflce.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518170/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"manageenglne.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518171/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"dg-www.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518172/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"newrelic-en.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518173/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"tlger.store"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518174/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"sultecrm.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518175/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"do-www.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518176/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"www.bawag-web.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518177/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"openofflce.store"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518178/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"ninjaone-en.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518179/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"du-www.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518180/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"admin.prompasport.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518181/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"techsmlth.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518182/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"apachefrlends.store"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518183/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"brightdata-en.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518184/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"sysaid-en.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518185/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"www.shopmeyxchange.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518186/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"coreidraw.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518187/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"cllcktime.store"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518188/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"ion-login.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518189/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"blendrer.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518190/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"www-yoast.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518191/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"quantower.su"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518192/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"3cx-en.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518193/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"moblerecharges.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518194/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"ultraviewer-en.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518195/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"tlger.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518196/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"ultravlewer.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518197/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"4kdownloadl.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518198/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"testerscrypto.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518199/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"bitpay.pw"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518200/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"sportsenginec.store"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518201/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"jam-softwarec.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518202/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"password-en.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518203/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"dx-www.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518204/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"ledgers.su"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518205/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"manageenglne.store"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518206/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"bamboohr-en.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518207/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"web-goodcrypto.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518208/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"symblosis.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518209/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"testerscrypto.store"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518210/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bbssj.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518213/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hspmj.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518216/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h1.glitzyentire.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518233; rev:1;) alert tcp $HOME_NET any -> [101.35.235.124] 123 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518234/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518234; rev:1;) alert tcp $HOME_NET any -> [1.13.156.116] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518235/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518235; rev:1;) alert tcp $HOME_NET any -> [111.230.212.37] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518236/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"137.184.35.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518237/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hdz"; depth:4; nocase; http.host; content:"rocketlump.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518238/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zxod"; depth:5; nocase; http.host; content:"fanpuy.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518239/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pek"; depth:4; nocase; http.host; content:"medikalbitkisel.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518240/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xapw"; depth:5; nocase; http.host; content:"victoreqs.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518241/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwed"; depth:5; nocase; http.host; content:"viridisw.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518242/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qena"; depth:5; nocase; http.host; content:"toptalentw.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518243/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qeji"; depth:5; nocase; http.host; content:"crocodilefg.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518244/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xadw"; depth:5; nocase; http.host; content:"wolverineas.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518245/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199845513035"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518246/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kubasex"; depth:8; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518247/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518247; rev:1;) alert tcp $HOME_NET any -> [80.64.18.161] 80 (msg:"ThreatFox Lumma Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518248/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_08; classtype:trojan-activity; sid:91518248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"improvxf.run"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518249/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tribunap.run"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518250/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tremelzxiy.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518251/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thinkellk.run"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518252/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apronsxrum.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518253/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-166-31-74.ap-east-1.compute.amazonaws.com"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nl-2.193.27.90.134.nip.io"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518264/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518264; rev:1;) alert tcp $HOME_NET any -> [3.236.12.85] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518265/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518265; rev:1;) alert tcp $HOME_NET any -> [186.169.63.68] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518266/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518266; rev:1;) alert tcp $HOME_NET any -> [94.26.90.245] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518267/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518267; rev:1;) alert tcp $HOME_NET any -> [176.65.142.198] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518268/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518268; rev:1;) alert tcp $HOME_NET any -> [196.251.71.236] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518269/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-44-246-89-112.us-west-2.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518270/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"razesec.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518271/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dotfoods.socalmediazone.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518272/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sci.socalmediazone.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518273/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518273; rev:1;) alert tcp $HOME_NET any -> [45.11.229.12] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518275/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518275; rev:1;) alert tcp $HOME_NET any -> [159.69.199.17] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518276; rev:1;) alert tcp $HOME_NET any -> [3.141.231.53] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518277/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518277; rev:1;) alert tcp $HOME_NET any -> [15.164.18.179] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518278/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518278; rev:1;) alert tcp $HOME_NET any -> [203.193.174.94] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518279/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518279; rev:1;) alert tcp $HOME_NET any -> [46.38.254.23] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518280/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518280; rev:1;) alert tcp $HOME_NET any -> [4.237.239.110] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518281/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518281; rev:1;) alert tcp $HOME_NET any -> [34.249.182.250] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518282/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518282; rev:1;) alert tcp $HOME_NET any -> [52.210.91.186] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518283/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518283; rev:1;) alert tcp $HOME_NET any -> [146.190.118.96] 1234 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518284/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518284; rev:1;) alert tcp $HOME_NET any -> [38.55.198.29] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518285/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518285; rev:1;) alert tcp $HOME_NET any -> [124.71.7.106] 10002 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518286/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518286; rev:1;) alert tcp $HOME_NET any -> [192.241.135.51] 1234 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518287/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518287; rev:1;) alert tcp $HOME_NET any -> [43.135.76.103] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518288/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518288; rev:1;) alert tcp $HOME_NET any -> [1.92.158.252] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518289/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518289; rev:1;) alert tcp $HOME_NET any -> [117.88.102.214] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518290/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518290; rev:1;) alert tcp $HOME_NET any -> [37.27.242.2] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518291/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518291; rev:1;) alert tcp $HOME_NET any -> [188.166.255.201] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518292; rev:1;) alert tcp $HOME_NET any -> [103.175.217.17] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518293; rev:1;) alert tcp $HOME_NET any -> [3.39.87.72] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518294; rev:1;) alert tcp $HOME_NET any -> [13.124.234.4] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aimpes.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"aimpes.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log/in"; depth:7; nocase; http.host; content:"tchmitt.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tchmitt.live"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gfddx.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6t4g.js"; depth:8; nocase; http.host; content:"aimpes.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ntmmh.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518100; rev:1;) alert tcp $HOME_NET any -> [89.40.31.57] 9373 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518274/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ieop"; depth:5; nocase; http.host; content:"insidegrah.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518262/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qhbu"; depth:5; nocase; http.host; content:"agrizzlqzuk.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518261/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsia"; depth:5; nocase; http.host; content:"2vecturar.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518260/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518260; rev:1;) alert tcp $HOME_NET any -> [192.3.12.168] 43256 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518258/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518258; rev:1;) alert tcp $HOME_NET any -> [192.3.12.168] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518259/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518259; rev:1;) alert tcp $HOME_NET any -> [152.42.199.84] 1089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518257/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518257; rev:1;) alert tcp $HOME_NET any -> [46.246.84.12] 7046 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518255/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518255; rev:1;) alert tcp $HOME_NET any -> [46.246.84.12] 2703 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518256/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-ready"; depth:9; nocase; http.host; content:"chongmei33.myddns.rocks"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518254/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.slim.min.js"; depth:25; nocase; http.host; content:"23.27.48.113"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518232/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_08; classtype:trojan-activity; sid:91518232; rev:1;) alert tcp $HOME_NET any -> [185.208.159.141] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518231/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_08; classtype:trojan-activity; sid:91518231; rev:1;) alert tcp $HOME_NET any -> [139.84.132.65] 10001 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518230/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518230; rev:1;) alert tcp $HOME_NET any -> [192.227.217.227] 53018 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518229/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518229; rev:1;) alert tcp $HOME_NET any -> [191.13.208.53] 8081 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518228/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518228; rev:1;) alert tcp $HOME_NET any -> [192.121.246.166] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518227/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518227; rev:1;) alert tcp $HOME_NET any -> [85.192.48.2] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518225/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518225; rev:1;) alert tcp $HOME_NET any -> [212.224.107.135] 2053 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518226/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518226; rev:1;) alert tcp $HOME_NET any -> [176.65.142.198] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518223/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518223; rev:1;) alert tcp $HOME_NET any -> [196.251.117.82] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518224/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518224; rev:1;) alert tcp $HOME_NET any -> [196.251.73.133] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518221/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518221; rev:1;) alert tcp $HOME_NET any -> [176.65.142.198] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518222/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518222; rev:1;) alert tcp $HOME_NET any -> [161.132.68.248] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518220/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518220; rev:1;) alert tcp $HOME_NET any -> [104.37.4.100] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518219/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518219; rev:1;) alert tcp $HOME_NET any -> [156.245.27.240] 505 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518218/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518218; rev:1;) alert tcp $HOME_NET any -> [101.126.144.111] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518217/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_08; classtype:trojan-activity; sid:91518217; rev:1;) alert tcp $HOME_NET any -> [81.19.141.47] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518215/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518215; rev:1;) alert tcp $HOME_NET any -> [70.31.125.238] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518214/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518214; rev:1;) alert tcp $HOME_NET any -> [188.49.76.30] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518212/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518212; rev:1;) alert tcp $HOME_NET any -> [173.187.25.146] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518211/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myaccount.acc-cnter.site"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518126; rev:1;) alert tcp $HOME_NET any -> [103.77.241.172] 443 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518125; rev:1;) alert tcp $HOME_NET any -> [52.210.234.4] 2761 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518124; rev:1;) alert tcp $HOME_NET any -> [37.72.168.146] 15443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bestoffersfortoday.store"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518122; rev:1;) alert tcp $HOME_NET any -> [86.38.247.78] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518121; rev:1;) alert tcp $HOME_NET any -> [8.210.232.186] 45209 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518120; rev:1;) alert tcp $HOME_NET any -> [68.168.31.113] 53284 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518118; rev:1;) alert tcp $HOME_NET any -> [186.169.63.68] 8888 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518119; rev:1;) alert tcp $HOME_NET any -> [77.220.212.80] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518117/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518117; rev:1;) alert tcp $HOME_NET any -> [82.115.223.251] 31332 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518116; rev:1;) alert tcp $HOME_NET any -> [192.248.152.36] 37189 (msg:"ThreatFox XenoRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"xtortoisgfe.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518114/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gmk"; depth:4; nocase; http.host; content:"albizzcdlv.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518113/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lxaz"; depth:5; nocase; http.host; content:"forjinalecza.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518112/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.209.42.48"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518105/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91518105; rev:1;) alert tcp $HOME_NET any -> [45.158.8.156] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518104/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91518104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omiga"; depth:6; nocase; http.host; content:"gstarfiswh.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518103/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iut"; depth:4; nocase; http.host; content:"sidebyafzy.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518102/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagelinegeomultidefaultuniversalwordpresswp.php"; depth:49; nocase; http.host; content:"997758cm.nyashk.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518101; rev:1;) alert tcp $HOME_NET any -> [87.20.235.24] 5060 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518097; rev:1;) alert tcp $HOME_NET any -> [87.20.235.24] 5061 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518098; rev:1;) alert tcp $HOME_NET any -> [212.87.221.19] 9999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jskxw.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qstfs.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jse/minjs.js"; depth:13; nocase; http.host; content:"jerseysus.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jse/select.js"; depth:14; nocase; http.host; content:"jerseysus.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jerseysus.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"scf.com"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518081/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jse/lll.php"; depth:12; nocase; http.host; content:"jerseysus.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cole.zip"; depth:9; nocase; http.host; content:"scf.com"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518080; rev:1;) alert tcp $HOME_NET any -> [94.158.245.104] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lmtdb.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"insidegrah.run"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grizzlqzuk.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518086; rev:1;) alert tcp $HOME_NET any -> [103.68.181.215] 1688 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"approach.ilovegaysex.su"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lane.ilovegaysex.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ministry.ilovegaysex.su"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518095; rev:1;) alert tcp $HOME_NET any -> [77.232.37.108] 8080 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518089; rev:1;) alert tcp $HOME_NET any -> [185.173.36.137] 9035 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518090; rev:1;) alert tcp $HOME_NET any -> [91.142.79.142] 8001 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518091; rev:1;) alert tcp $HOME_NET any -> [185.173.37.18] 9035 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518092; rev:1;) alert tcp $HOME_NET any -> [185.208.159.64] 1337 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518088; rev:1;) alert tcp $HOME_NET any -> [94.26.90.76] 3128 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518087; rev:1;) alert tcp $HOME_NET any -> [8.218.198.125] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518083; rev:1;) alert tcp $HOME_NET any -> [13.244.151.202] 51005 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518074; rev:1;) alert tcp $HOME_NET any -> [13.244.151.202] 6005 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518073; rev:1;) alert tcp $HOME_NET any -> [51.79.196.122] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518072; rev:1;) alert tcp $HOME_NET any -> [164.215.103.160] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518071/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518071; rev:1;) alert tcp $HOME_NET any -> [128.90.122.247] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518070/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518070; rev:1;) alert tcp $HOME_NET any -> [110.41.2.207] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518069; rev:1;) alert tcp $HOME_NET any -> [94.102.49.177] 5900 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518067; rev:1;) alert tcp $HOME_NET any -> [104.234.114.229] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518068; rev:1;) alert tcp $HOME_NET any -> [103.118.29.177] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518066/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518066; rev:1;) alert tcp $HOME_NET any -> [38.55.192.237] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518064/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518064; rev:1;) alert tcp $HOME_NET any -> [1.94.96.91] 2443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518065/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518065; rev:1;) alert tcp $HOME_NET any -> [91.220.8.106] 80 (msg:"ThreatFox KPOT Stealer botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518063/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c8pd9meo5mnhlji1/gate.php"; depth:26; nocase; http.host; content:"91.220.8.106"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518062; rev:1;) alert tcp $HOME_NET any -> [85.40.86.132] 7005 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518060/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"first.pokerstarus.kro.kr"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518058/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91518058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/index.php"; depth:16; nocase; http.host; content:"first.pokerstarus.kro.kr"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/woap"; depth:5; nocase; http.host; content:"pdescenrugb.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518056/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqba"; depth:5; nocase; http.host; content:"mhomewappzb.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518055/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwio"; depth:5; nocase; http.host; content:"istuffgull.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518054/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"geckoz.digital"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518036/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fypal.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518035/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"horsebbv.run"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518037/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"koalagf.run"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518038/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"guppycv.live"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518039/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"grizzlxy.run"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518040/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dingor.run"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518041/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"antelopej.run"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518042/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"flaminguo.run"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518043/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"elephatnt.live"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518044/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"giraffei.live"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518045/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"twilightwiarp.digital"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518046/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"norwecono.run"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518047/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kzgrowthq.live"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518050/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nigecoy.run"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518048/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mexicodarta.live"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518049/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nigerecuon.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518051/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"maxpecoe.run"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518052/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"oreconp.live"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518053/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cloudflare.eradigitalibl.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518033/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vovoh.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"din.akurasiibl.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518034/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profilelayout"; depth:14; nocase; http.host; content:"charity.cafedantorels.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"charity.cafedantorels.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/goap"; depth:5; nocase; http.host; content:"therefsphn.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518029/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqtr"; depth:5; nocase; http.host; content:"romulusy.digital"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518028/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xotap.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518027/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bisaj.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518020; rev:1;) alert tcp $HOME_NET any -> [23.146.242.237] 5817 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518026/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518026; rev:1;) alert tcp $HOME_NET any -> [81.71.246.52] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518025/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518025; rev:1;) alert tcp $HOME_NET any -> [43.100.29.85] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518024/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518024; rev:1;) alert tcp $HOME_NET any -> [106.52.207.50] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518023/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"systimezone.center"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518022/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ms-healthcheck.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518021/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"102.98.39.246"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518019/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91518019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"quxap.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1518006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518006; rev:1;) alert tcp $HOME_NET any -> [206.238.115.163] 954 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518018; rev:1;) alert tcp $HOME_NET any -> [18.181.128.244] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518017; rev:1;) alert tcp $HOME_NET any -> [54.212.6.27] 1913 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518016; rev:1;) alert tcp $HOME_NET any -> [113.44.81.252] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518015/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518015; rev:1;) alert tcp $HOME_NET any -> [89.40.31.70] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518014/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518014; rev:1;) alert tcp $HOME_NET any -> [104.168.64.199] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518012; rev:1;) alert tcp $HOME_NET any -> [166.108.200.194] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518013; rev:1;) alert tcp $HOME_NET any -> [155.138.164.52] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518011; rev:1;) alert tcp $HOME_NET any -> [47.121.133.57] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518010; rev:1;) alert tcp $HOME_NET any -> [91.200.14.226] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518007; rev:1;) alert tcp $HOME_NET any -> [8.133.251.236] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518008; rev:1;) alert tcp $HOME_NET any -> [107.149.240.12] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1518009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91518009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"topax.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517788/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/two/gates1/fre.php"; depth:19; nocase; http.host; content:"blesblochem.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1518001/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91518001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"calub.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517750/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mugtrimol37.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517777/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"textureassets.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517775/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"winmy.news"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517776/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ap1w9f.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517762/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"apesquery.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517763/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"batchcopilot.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517764/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"caribsljm.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517765/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ceacg.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517766/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"countryclub.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517767/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cyprusestate.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517768/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dappassets.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517769/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"decoding-us.media"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517770/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"logicalcomputer.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517771/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lymo.live"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517772/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"onsome.info"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517773/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"privacydapps.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517774/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www-customs-gov-lk.net-co.info"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517759/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www-cbsl-gov-lk.dwnlld.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517758/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/pdf/blackout-rehearsal-plan/wins/"; depth:38; nocase; http.host; content:"gchindia.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517753/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"falcondfy.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517752/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517752; rev:1;) alert tcp $HOME_NET any -> [103.186.117.40] 47666 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517751/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517751; rev:1;) alert tcp $HOME_NET any -> [196.251.69.222] 2005 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517749/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"curux.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517747/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.slim.min.js"; depth:25; nocase; http.host; content:"149.104.28.130"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517748/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/lll.php"; depth:12; nocase; http.host; content:"tiffanyearringforwomen.top"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517746/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"serer.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/select.js"; depth:14; nocase; http.host; content:"tiffanyearringforwomen.top"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517744/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tiffanyearringforwomen.top"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517745/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"anncrman.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517743/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bulon.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517738/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lited-mafia.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517739/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"main.oooservers.kro.kr"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517740/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"takibotnet.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517741/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"takidayne.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517742/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eaonxeypl.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517737/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517737; rev:1;) alert tcp $HOME_NET any -> [23.158.232.33] 3840 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517736/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"0kydwb3k6.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517735/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/drdjuvjt"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517734/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"izoa.netsons.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517733/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.144.53.255"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517732/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"154.53.165.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517731/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"87.247.188.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517730/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517730; rev:1;) alert tcp $HOME_NET any -> [27.102.138.155] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517729/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517729; rev:1;) alert tcp $HOME_NET any -> [103.28.90.181] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517728/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517728; rev:1;) alert tcp $HOME_NET any -> [103.74.101.88] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517727/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517727; rev:1;) alert tcp $HOME_NET any -> [94.98.211.222] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517726/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517726; rev:1;) alert tcp $HOME_NET any -> [91.103.253.40] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517725/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517725; rev:1;) alert tcp $HOME_NET any -> [146.70.213.35] 8081 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517724/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517724; rev:1;) alert tcp $HOME_NET any -> [45.61.165.177] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517722/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517722; rev:1;) alert tcp $HOME_NET any -> [3.80.91.122] 8142 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517721/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517721; rev:1;) alert tcp $HOME_NET any -> [34.245.181.229] 19 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517719/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517719; rev:1;) alert tcp $HOME_NET any -> [3.80.91.122] 12242 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517720/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517720; rev:1;) alert tcp $HOME_NET any -> [51.38.225.20] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517718/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517718; rev:1;) alert tcp $HOME_NET any -> [84.46.243.167] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517717/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517717; rev:1;) alert tcp $HOME_NET any -> [207.180.248.69] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517713/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517713; rev:1;) alert tcp $HOME_NET any -> [193.29.58.245] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517714/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517714; rev:1;) alert tcp $HOME_NET any -> [147.45.178.32] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517715/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517715; rev:1;) alert tcp $HOME_NET any -> [66.42.80.79] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517716/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517716; rev:1;) alert tcp $HOME_NET any -> [185.146.232.129] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517712/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517712; rev:1;) alert tcp $HOME_NET any -> [85.143.249.12] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517711/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517711; rev:1;) alert tcp $HOME_NET any -> [121.40.112.176] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517710/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517710; rev:1;) alert tcp $HOME_NET any -> [185.196.11.181] 6789 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517709/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517709; rev:1;) alert tcp $HOME_NET any -> [104.200.73.200] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517708/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517708; rev:1;) alert tcp $HOME_NET any -> [119.28.89.169] 9527 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517707/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_07; classtype:trojan-activity; sid:91517707; rev:1;) alert tcp $HOME_NET any -> [176.123.2.242] 5939 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517706/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tipaq.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517705/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"webis.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517692/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517692; rev:1;) alert tcp $HOME_NET any -> [83.217.213.230] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517704/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517704; rev:1;) alert tcp $HOME_NET any -> [50.232.172.115] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517703/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mbj"; depth:4; nocase; http.host; content:"umedicalbitkisel.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517702/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wrqo"; depth:5; nocase; http.host; content:"lkariosefqcu.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517701/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqiw"; depth:5; nocase; http.host; content:"jonemiltxny.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517700/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wrqo"; depth:5; nocase; http.host; content:"gariosefqcu.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517699/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lxaz"; depth:5; nocase; http.host; content:"dorjinalecza.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517698/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"3snakejh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517697/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517697; rev:1;) alert tcp $HOME_NET any -> [176.65.144.221] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517696/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517696; rev:1;) alert tcp $HOME_NET any -> [146.185.218.222] 49412 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517695/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517695; rev:1;) alert tcp $HOME_NET any -> [141.105.65.172] 1720 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517694/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517694; rev:1;) alert tcp $HOME_NET any -> [107.173.101.225] 8580 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517693/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kycaj.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517678/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517678; rev:1;) alert tcp $HOME_NET any -> [5.183.95.52] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517691/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517691; rev:1;) alert tcp $HOME_NET any -> [113.44.39.1] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517690; rev:1;) alert tcp $HOME_NET any -> [158.51.125.27] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517689; rev:1;) alert tcp $HOME_NET any -> [93.198.190.251] 82 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517688; rev:1;) alert tcp $HOME_NET any -> [188.27.74.233] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517687; rev:1;) alert tcp $HOME_NET any -> [192.121.246.220] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517686; rev:1;) alert tcp $HOME_NET any -> [45.144.53.255] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517685; rev:1;) alert tcp $HOME_NET any -> [173.225.100.207] 2681 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517681; rev:1;) alert tcp $HOME_NET any -> [172.94.53.66] 3191 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517682; rev:1;) alert tcp $HOME_NET any -> [87.98.236.198] 110 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517683; rev:1;) alert tcp $HOME_NET any -> [188.93.233.249] 8443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517684; rev:1;) alert tcp $HOME_NET any -> [89.40.31.128] 9373 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517679/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517679; rev:1;) alert tcp $HOME_NET any -> [23.95.162.101] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/woap"; depth:5; nocase; http.host; content:"ydescenrugb.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517677/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517677; rev:1;) alert tcp $HOME_NET any -> [45.130.145.52] 420 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fadoj.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517676; rev:1;) alert tcp $HOME_NET any -> [93.115.0.18] 443 (msg:"ThreatFox FastSpy payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517666; rev:1;) alert tcp $HOME_NET any -> [45.130.145.52] 427 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517674; rev:1;) alert tcp $HOME_NET any -> [196.251.80.4] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517673/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwio"; depth:5; nocase; http.host; content:"stuffgull.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517672/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqiw"; depth:5; nocase; http.host; content:"onemiltxny.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517671/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mben"; depth:5; nocase; http.host; content:"octalfbsh.bet"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517670/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/woap"; depth:5; nocase; http.host; content:"descenrugb.bet"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517668/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqba"; depth:5; nocase; http.host; content:"homewappzb.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517669/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wrqo"; depth:5; nocase; http.host; content:"ariosefqcu.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517667/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517667; rev:1;) alert tcp $HOME_NET any -> [193.27.90.134] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517597/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517597; rev:1;) alert tcp $HOME_NET any -> [31.14.252.90] 4444 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517598/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517598; rev:1;) alert tcp $HOME_NET any -> [43.135.9.55] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517599/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517599; rev:1;) alert tcp $HOME_NET any -> [129.226.189.66] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517600/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517600; rev:1;) alert tcp $HOME_NET any -> [107.172.61.133] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517601/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517601; rev:1;) alert tcp $HOME_NET any -> [107.172.61.133] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517602/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dvcloud.myddns.me"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517603/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip-50-116-22-186.cloudezapp.io"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517604/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517604; rev:1;) alert tcp $HOME_NET any -> [34.74.204.123] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517605/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517605; rev:1;) alert tcp $HOME_NET any -> [103.148.163.45] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517606/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517606; rev:1;) alert tcp $HOME_NET any -> [129.212.136.19] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517613/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517613; rev:1;) alert tcp $HOME_NET any -> [47.122.153.145] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517614; rev:1;) alert tcp $HOME_NET any -> [154.12.20.34] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517615/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517615; rev:1;) alert tcp $HOME_NET any -> [95.111.252.59] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517616/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517616; rev:1;) alert tcp $HOME_NET any -> [34.9.145.167] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517617/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517617; rev:1;) alert tcp $HOME_NET any -> [159.223.84.144] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517618/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517618; rev:1;) alert tcp $HOME_NET any -> [54.229.8.142] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517619/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517619; rev:1;) alert tcp $HOME_NET any -> [44.220.220.33] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517620/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517620; rev:1;) alert tcp $HOME_NET any -> [37.27.250.172] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517621/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517621; rev:1;) alert tcp $HOME_NET any -> [52.213.183.75] 9001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517622/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517622; rev:1;) alert tcp $HOME_NET any -> [172.236.221.94] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517623/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517623; rev:1;) alert tcp $HOME_NET any -> [3.255.233.102] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517624/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517624; rev:1;) alert tcp $HOME_NET any -> [1.92.158.252] 8081 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517625/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517625; rev:1;) alert tcp $HOME_NET any -> [181.32.51.159] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517626/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517626; rev:1;) alert tcp $HOME_NET any -> [34.28.218.71] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517627/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517627; rev:1;) alert tcp $HOME_NET any -> [46.114.52.114] 3334 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517628/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517628; rev:1;) alert tcp $HOME_NET any -> [46.247.134.249] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517629; rev:1;) alert tcp $HOME_NET any -> [54.161.15.236] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517631/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517631; rev:1;) alert tcp $HOME_NET any -> [161.97.73.16] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517630/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517630; rev:1;) alert tcp $HOME_NET any -> [24.4.238.148] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517632/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zogun.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517633/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517633; rev:1;) alert tcp $HOME_NET any -> [45.130.145.51] 417 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517634/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517634; rev:1;) alert tcp $HOME_NET any -> [45.130.145.52] 417 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517636/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517636; rev:1;) alert tcp $HOME_NET any -> [45.130.145.52] 426 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517635/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517635; rev:1;) alert tcp $HOME_NET any -> [45.130.145.51] 421 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517637/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517637; rev:1;) alert tcp $HOME_NET any -> [45.130.145.52] 425 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517638; rev:1;) alert tcp $HOME_NET any -> [45.130.145.52] 424 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517639/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517639; rev:1;) alert tcp $HOME_NET any -> [45.130.145.51] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517640/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517640; rev:1;) alert tcp $HOME_NET any -> [45.130.145.52] 418 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517641; rev:1;) alert tcp $HOME_NET any -> [45.130.145.51] 424 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517642/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517642; rev:1;) alert tcp $HOME_NET any -> [45.130.145.52] 430 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cyruh.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517644; rev:1;) alert tcp $HOME_NET any -> [45.130.145.51] 429 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517645; rev:1;) alert tcp $HOME_NET any -> [45.130.145.52] 422 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517646; rev:1;) alert tcp $HOME_NET any -> [45.130.145.52] 416 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517647/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517647; rev:1;) alert tcp $HOME_NET any -> [45.130.145.52] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517649; rev:1;) alert tcp $HOME_NET any -> [45.130.145.51] 428 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517648; rev:1;) alert tcp $HOME_NET any -> [45.130.145.52] 421 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517650; rev:1;) alert tcp $HOME_NET any -> [45.130.145.51] 420 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517651/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517651; rev:1;) alert tcp $HOME_NET any -> [45.130.145.51] 418 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517663; rev:1;) alert tcp $HOME_NET any -> [45.130.145.51] 427 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gozog.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517571/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/min.js"; depth:11; nocase; http.host; content:"christianlouboutin2017.top"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517575/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"christianlouboutin2017.top"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517576/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/select.js"; depth:14; nocase; http.host; content:"christianlouboutin2017.top"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517577/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/lll.php"; depth:12; nocase; http.host; content:"christianlouboutin2017.top"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517578/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qyhux.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517590/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"154.53.165.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517595/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nagyg.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517551/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nodeapiintegrate.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517572/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jse/lll.php"; depth:12; nocase; http.host; content:"watchesbest.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517546/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/testes.zip"; depth:11; nocase; http.host; content:"lgsdesign.co.uk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517547/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"watchesbest.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517544/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jse/select.js"; depth:14; nocase; http.host; content:"watchesbest.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517545/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lgsdesign.co.uk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517540/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jse/minjs.js"; depth:13; nocase; http.host; content:"watchesbest.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517543/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raszas.zip"; depth:11; nocase; http.host; content:"lgsdesign.co.uk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517539/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517539; rev:1;) alert tcp $HOME_NET any -> [94.158.245.56] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517541/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/select.js"; depth:14; nocase; http.host; content:"levciavia.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517537/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/lll.php"; depth:12; nocase; http.host; content:"levciavia.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517538/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/min.js"; depth:11; nocase; http.host; content:"levciavia.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517535/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"levciavia.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517536/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lysys.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517533/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trackcpu/providercentralpublic/3javascriptpacket/jstrackbasevideo/5/to/providerpollcpuprocessordefaulttraffic.php"; depth:114; nocase; http.host; content:"109.120.152.121"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517665/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517665; rev:1;) alert tcp $HOME_NET any -> [47.112.99.0] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517661/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517661; rev:1;) alert tcp $HOME_NET any -> [118.24.89.121] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517662/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517662; rev:1;) alert tcp $HOME_NET any -> [163.179.244.131] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517659; rev:1;) alert tcp $HOME_NET any -> [47.242.233.16] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517660/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517660; rev:1;) alert tcp $HOME_NET any -> [8.141.113.34] 89 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517658/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517658; rev:1;) alert tcp $HOME_NET any -> [121.41.108.106] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517657/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517657; rev:1;) alert tcp $HOME_NET any -> [124.223.71.152] 8082 (msg:"ThreatFox Vshell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517612/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517612; rev:1;) alert tcp $HOME_NET any -> [144.172.101.67] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517610/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517610; rev:1;) alert tcp $HOME_NET any -> [144.172.101.67] 8090 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517611/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517611; rev:1;) alert tcp $HOME_NET any -> [177.45.128.151] 7000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517609/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.94-156-189-245.cprapid.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517607/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517607; rev:1;) alert tcp $HOME_NET any -> [18.181.191.249] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517608/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tpm/pin.php"; depth:12; nocase; http.host; content:"172.245.123.11"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517596/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517596; rev:1;) alert tcp $HOME_NET any -> [80.64.18.173] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517594/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517594; rev:1;) alert tcp $HOME_NET any -> [104.37.4.128] 7011 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517592/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517592; rev:1;) alert tcp $HOME_NET any -> [104.37.4.128] 7012 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517593/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517593; rev:1;) alert tcp $HOME_NET any -> [104.37.4.128] 7010 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517591/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_07; classtype:trojan-activity; sid:91517591; rev:1;) alert tcp $HOME_NET any -> [178.255.245.115] 2135 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517589/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517589; rev:1;) alert tcp $HOME_NET any -> [18.119.192.75] 8081 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517588/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517588; rev:1;) alert tcp $HOME_NET any -> [154.53.165.98] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517587/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517587; rev:1;) alert tcp $HOME_NET any -> [93.198.182.192] 81 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517586/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517586; rev:1;) alert tcp $HOME_NET any -> [180.188.179.113] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517585/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smusxath.socalmediazone.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517584/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517584; rev:1;) alert tcp $HOME_NET any -> [165.22.90.113] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517583/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517583; rev:1;) alert tcp $HOME_NET any -> [157.20.182.6] 1931 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517582/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emreizol.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517580/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517580; rev:1;) alert tcp $HOME_NET any -> [176.65.134.77] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517581/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517581; rev:1;) alert tcp $HOME_NET any -> [198.12.121.168] 8686 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517579/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_07; classtype:trojan-activity; sid:91517579; rev:1;) alert tcp $HOME_NET any -> [23.133.4.98] 4433 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517574/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/260b1b77.php"; depth:13; nocase; http.host; content:"cr72811.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517573; rev:1;) alert tcp $HOME_NET any -> [196.251.70.216] 443 (msg:"ThreatFox xmrig botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517570/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517570; rev:1;) alert tcp $HOME_NET any -> [2.45.248.130] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517569/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517569; rev:1;) alert tcp $HOME_NET any -> [13.245.196.23] 1911 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517568/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517568; rev:1;) alert tcp $HOME_NET any -> [91.84.97.102] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517567/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517567; rev:1;) alert tcp $HOME_NET any -> [20.120.225.17] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517564/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517564; rev:1;) alert tcp $HOME_NET any -> [161.132.51.146] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517565/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517565; rev:1;) alert tcp $HOME_NET any -> [52.221.250.95] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517563/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517563; rev:1;) alert tcp $HOME_NET any -> [124.198.131.216] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517561/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517561; rev:1;) alert tcp $HOME_NET any -> [196.251.117.147] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517562; rev:1;) alert tcp $HOME_NET any -> [195.10.205.102] 7977 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517559/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517559; rev:1;) alert tcp $HOME_NET any -> [149.88.71.241] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517560/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517560; rev:1;) alert tcp $HOME_NET any -> [23.27.48.77] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517558/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517558; rev:1;) alert tcp $HOME_NET any -> [108.181.199.16] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517556/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517556; rev:1;) alert tcp $HOME_NET any -> [194.59.30.111] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517557/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517557; rev:1;) alert tcp $HOME_NET any -> [121.43.152.186] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517555/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517555; rev:1;) alert tcp $HOME_NET any -> [47.103.60.249] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517552/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517552; rev:1;) alert tcp $HOME_NET any -> [103.140.154.111] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517553/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517553; rev:1;) alert tcp $HOME_NET any -> [47.112.99.0] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517554/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517554; rev:1;) alert tcp $HOME_NET any -> [176.65.134.25] 26425 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517534/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517534; rev:1;) alert tcp $HOME_NET any -> [8.210.236.220] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1377375/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91377375; rev:1;) alert tcp $HOME_NET any -> [8.222.138.62] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1377390/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91377390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wyban.run"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517532/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"demseladini.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517530/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"woselamas.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517531/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"news.zf-emea.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log/in"; depth:7; nocase; http.host; content:"homemick.live"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"homemick.live"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"okunevv.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"okunevv.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cciincmi.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517514/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"electrum-wcllet.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517515/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trust-wcllet.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517516/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"alexricardoblog.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517520/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ncrdlpcss.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517517/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tangem-wcllet.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517518/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cloud-b2cx.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517519/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"atticusblahblahblah.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517521/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bdagly.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517522/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trezor.network-w3.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517523/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"grabyourbookhere.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517524/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"returnboxesss.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517525/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vsmml.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517529/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517529; rev:1;) alert tcp $HOME_NET any -> [41.216.188.194] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517528/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcmaster.giize.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517527/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"skfwp.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517526/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517526; rev:1;) alert tcp $HOME_NET any -> [213.212.57.101] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517509/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517509; rev:1;) alert tcp $HOME_NET any -> [213.212.57.124] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517510/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517510; rev:1;) alert tcp $HOME_NET any -> [216.185.217.60] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517511/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517511; rev:1;) alert tcp $HOME_NET any -> [220.127.201.28] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517512/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517512; rev:1;) alert tcp $HOME_NET any -> [221.146.139.30] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517513/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517513; rev:1;) alert tcp $HOME_NET any -> [195.91.206.60] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517496/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517496; rev:1;) alert tcp $HOME_NET any -> [195.133.215.16] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517497/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517497; rev:1;) alert tcp $HOME_NET any -> [196.251.116.138] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517498/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517498; rev:1;) alert tcp $HOME_NET any -> [198.231.30.218] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517499/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517499; rev:1;) alert tcp $HOME_NET any -> [198.231.30.222] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517500/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517500; rev:1;) alert tcp $HOME_NET any -> [204.10.179.232] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517501/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517501; rev:1;) alert tcp $HOME_NET any -> [206.189.11.93] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517502/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517502; rev:1;) alert tcp $HOME_NET any -> [210.6.166.148] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517503/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517503; rev:1;) alert tcp $HOME_NET any -> [213.67.94.181] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517504/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517504; rev:1;) alert tcp $HOME_NET any -> [213.67.127.76] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517505/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517505; rev:1;) alert tcp $HOME_NET any -> [213.112.189.147] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517506/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517506; rev:1;) alert tcp $HOME_NET any -> [213.204.193.47] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517507/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517507; rev:1;) alert tcp $HOME_NET any -> [213.204.214.195] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517508/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517508; rev:1;) alert tcp $HOME_NET any -> [185.179.247.147] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517484/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517484; rev:1;) alert tcp $HOME_NET any -> [185.189.226.76] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517485/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517485; rev:1;) alert tcp $HOME_NET any -> [185.210.90.127] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517486/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517486; rev:1;) alert tcp $HOME_NET any -> [185.232.37.79] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517487/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517487; rev:1;) alert tcp $HOME_NET any -> [185.232.38.138] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517488/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517488; rev:1;) alert tcp $HOME_NET any -> [192.121.10.231] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517489/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517489; rev:1;) alert tcp $HOME_NET any -> [192.165.0.69] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517490/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517490; rev:1;) alert tcp $HOME_NET any -> [192.165.0.176] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517491/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517491; rev:1;) alert tcp $HOME_NET any -> [193.183.210.158] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517492/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517492; rev:1;) alert tcp $HOME_NET any -> [193.200.78.28] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517493/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517493; rev:1;) alert tcp $HOME_NET any -> [194.68.24.35] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517494/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517494; rev:1;) alert tcp $HOME_NET any -> [194.132.68.15] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517495/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517495; rev:1;) alert tcp $HOME_NET any -> [185.128.170.87] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517474/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517474; rev:1;) alert tcp $HOME_NET any -> [185.128.170.89] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517475/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517475; rev:1;) alert tcp $HOME_NET any -> [185.128.170.90] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517476/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517476; rev:1;) alert tcp $HOME_NET any -> [185.128.170.113] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517477/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517477; rev:1;) alert tcp $HOME_NET any -> [185.128.170.119] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517478/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517478; rev:1;) alert tcp $HOME_NET any -> [185.154.206.42] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517479/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517479; rev:1;) alert tcp $HOME_NET any -> [185.179.247.33] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517480/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517480; rev:1;) alert tcp $HOME_NET any -> [185.179.247.39] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517481/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517481; rev:1;) alert tcp $HOME_NET any -> [185.179.247.99] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517482/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517482; rev:1;) alert tcp $HOME_NET any -> [185.179.247.131] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517483/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517483; rev:1;) alert tcp $HOME_NET any -> [185.128.170.76] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517464/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517464; rev:1;) alert tcp $HOME_NET any -> [185.128.170.77] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517465/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517465; rev:1;) alert tcp $HOME_NET any -> [185.128.170.78] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517466/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517466; rev:1;) alert tcp $HOME_NET any -> [185.128.170.79] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517467/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517467; rev:1;) alert tcp $HOME_NET any -> [185.128.170.80] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517468/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517468; rev:1;) alert tcp $HOME_NET any -> [185.128.170.81] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517469/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517469; rev:1;) alert tcp $HOME_NET any -> [185.128.170.82] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517470/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517470; rev:1;) alert tcp $HOME_NET any -> [185.128.170.84] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517471/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517471; rev:1;) alert tcp $HOME_NET any -> [185.128.170.85] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517472/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517472; rev:1;) alert tcp $HOME_NET any -> [185.128.170.86] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517473/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517473; rev:1;) alert tcp $HOME_NET any -> [185.128.170.60] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517453/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517453; rev:1;) alert tcp $HOME_NET any -> [185.128.170.61] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517454/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517454; rev:1;) alert tcp $HOME_NET any -> [185.128.170.62] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517455/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517455; rev:1;) alert tcp $HOME_NET any -> [185.128.170.63] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517456/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517456; rev:1;) alert tcp $HOME_NET any -> [185.128.170.64] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517457/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517457; rev:1;) alert tcp $HOME_NET any -> [185.128.170.65] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517458/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517458; rev:1;) alert tcp $HOME_NET any -> [185.128.170.67] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517459/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517459; rev:1;) alert tcp $HOME_NET any -> [185.128.170.70] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517460/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517460; rev:1;) alert tcp $HOME_NET any -> [185.128.170.71] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517461/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517461; rev:1;) alert tcp $HOME_NET any -> [185.128.170.74] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517462/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517462; rev:1;) alert tcp $HOME_NET any -> [185.128.170.75] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517463/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517463; rev:1;) alert tcp $HOME_NET any -> [184.105.68.187] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517443/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517443; rev:1;) alert tcp $HOME_NET any -> [184.105.68.199] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517444/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517444; rev:1;) alert tcp $HOME_NET any -> [184.105.68.228] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517445/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517445; rev:1;) alert tcp $HOME_NET any -> [185.26.227.26] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517446/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517446; rev:1;) alert tcp $HOME_NET any -> [185.83.95.40] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517447/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517447; rev:1;) alert tcp $HOME_NET any -> [185.122.90.35] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517448/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517448; rev:1;) alert tcp $HOME_NET any -> [185.128.170.36] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517449/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517449; rev:1;) alert tcp $HOME_NET any -> [185.128.170.54] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517450/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517450; rev:1;) alert tcp $HOME_NET any -> [185.128.170.55] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517451/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517451; rev:1;) alert tcp $HOME_NET any -> [185.128.170.56] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517452/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517452; rev:1;) alert tcp $HOME_NET any -> [170.39.13.3] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517430/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517430; rev:1;) alert tcp $HOME_NET any -> [170.39.13.4] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517431/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517431; rev:1;) alert tcp $HOME_NET any -> [170.52.65.250] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517432/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517432; rev:1;) alert tcp $HOME_NET any -> [171.25.157.154] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517433/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517433; rev:1;) alert tcp $HOME_NET any -> [176.101.165.180] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517434/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517434; rev:1;) alert tcp $HOME_NET any -> [176.120.170.203] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517435/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517435; rev:1;) alert tcp $HOME_NET any -> [178.42.34.154] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517436/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517436; rev:1;) alert tcp $HOME_NET any -> [181.41.245.5] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517437/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517437; rev:1;) alert tcp $HOME_NET any -> [184.104.239.240] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517438/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517438; rev:1;) alert tcp $HOME_NET any -> [184.105.68.62] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517439/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517439; rev:1;) alert tcp $HOME_NET any -> [184.105.68.67] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517440/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517440; rev:1;) alert tcp $HOME_NET any -> [184.105.68.138] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517441/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517441; rev:1;) alert tcp $HOME_NET any -> [184.105.68.163] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517442/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517442; rev:1;) alert tcp $HOME_NET any -> [158.51.68.228] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517417/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517417; rev:1;) alert tcp $HOME_NET any -> [158.51.68.249] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517418/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517418; rev:1;) alert tcp $HOME_NET any -> [160.7.243.251] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517419/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517419; rev:1;) alert tcp $HOME_NET any -> [160.32.224.157] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517420/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517420; rev:1;) alert tcp $HOME_NET any -> [160.119.4.89] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517421/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517421; rev:1;) alert tcp $HOME_NET any -> [160.119.18.57] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517422/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517422; rev:1;) alert tcp $HOME_NET any -> [160.119.24.236] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517423/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517423; rev:1;) alert tcp $HOME_NET any -> [162.247.146.163] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517424/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517424; rev:1;) alert tcp $HOME_NET any -> [162.247.147.72] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517425/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517425; rev:1;) alert tcp $HOME_NET any -> [162.247.150.146] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517426/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517426; rev:1;) alert tcp $HOME_NET any -> [166.48.102.53] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517427/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517427; rev:1;) alert tcp $HOME_NET any -> [166.141.177.23] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517428/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517428; rev:1;) alert tcp $HOME_NET any -> [166.168.97.57] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517429/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517429; rev:1;) alert tcp $HOME_NET any -> [143.110.176.223] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517404/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517404; rev:1;) alert tcp $HOME_NET any -> [149.115.83.82] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517405/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517405; rev:1;) alert tcp $HOME_NET any -> [152.89.181.226] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517406/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517406; rev:1;) alert tcp $HOME_NET any -> [156.228.232.70] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517407/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517407; rev:1;) alert tcp $HOME_NET any -> [156.228.232.72] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517408/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517408; rev:1;) alert tcp $HOME_NET any -> [156.228.232.73] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517409/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517409; rev:1;) alert tcp $HOME_NET any -> [158.51.68.24] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517410/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517410; rev:1;) alert tcp $HOME_NET any -> [158.51.68.48] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517411/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517411; rev:1;) alert tcp $HOME_NET any -> [158.51.68.54] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517412/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517412; rev:1;) alert tcp $HOME_NET any -> [158.51.68.109] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517413/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517413; rev:1;) alert tcp $HOME_NET any -> [158.51.68.132] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517414/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517414; rev:1;) alert tcp $HOME_NET any -> [158.51.68.147] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517415/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517415; rev:1;) alert tcp $HOME_NET any -> [158.51.68.152] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517416/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517416; rev:1;) alert tcp $HOME_NET any -> [125.228.223.50] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517392/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517392; rev:1;) alert tcp $HOME_NET any -> [137.220.191.21] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517393/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517393; rev:1;) alert tcp $HOME_NET any -> [137.220.191.26] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517394/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517394; rev:1;) alert tcp $HOME_NET any -> [137.220.191.30] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517395/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517395; rev:1;) alert tcp $HOME_NET any -> [137.220.191.36] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517396/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517396; rev:1;) alert tcp $HOME_NET any -> [137.220.191.45] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517397/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517397; rev:1;) alert tcp $HOME_NET any -> [137.220.191.51] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517398/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517398; rev:1;) alert tcp $HOME_NET any -> [137.220.191.67] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517399/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517399; rev:1;) alert tcp $HOME_NET any -> [137.220.191.70] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517400/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517400; rev:1;) alert tcp $HOME_NET any -> [138.19.184.18] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517401/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517401; rev:1;) alert tcp $HOME_NET any -> [139.59.228.111] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517402/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517402; rev:1;) alert tcp $HOME_NET any -> [141.170.215.16] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517403/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517403; rev:1;) alert tcp $HOME_NET any -> [109.69.15.148] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517379/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517379; rev:1;) alert tcp $HOME_NET any -> [109.69.15.151] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517380/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517380; rev:1;) alert tcp $HOME_NET any -> [109.69.15.163] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517381/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517381; rev:1;) alert tcp $HOME_NET any -> [109.69.15.218] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517382/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517382; rev:1;) alert tcp $HOME_NET any -> [109.70.232.146] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517383/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517383; rev:1;) alert tcp $HOME_NET any -> [109.70.234.54] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517384/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517384; rev:1;) alert tcp $HOME_NET any -> [109.70.234.80] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517385/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517385; rev:1;) alert tcp $HOME_NET any -> [116.86.217.203] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517386/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517386; rev:1;) alert tcp $HOME_NET any -> [119.207.185.25] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517387/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517387; rev:1;) alert tcp $HOME_NET any -> [120.86.173.46] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517388/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517388; rev:1;) alert tcp $HOME_NET any -> [121.136.18.225] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517389/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517389; rev:1;) alert tcp $HOME_NET any -> [121.171.78.222] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517390/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517390; rev:1;) alert tcp $HOME_NET any -> [124.244.34.165] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517391/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517391; rev:1;) alert tcp $HOME_NET any -> [91.237.16.41] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517366/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517366; rev:1;) alert tcp $HOME_NET any -> [94.255.193.204] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517367/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517367; rev:1;) alert tcp $HOME_NET any -> [95.38.193.164] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517368/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517368; rev:1;) alert tcp $HOME_NET any -> [95.56.22.114] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517369/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517369; rev:1;) alert tcp $HOME_NET any -> [99.116.228.38] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517370/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517370; rev:1;) alert tcp $HOME_NET any -> [99.228.226.19] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517371/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517371; rev:1;) alert tcp $HOME_NET any -> [99.232.231.14] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517372/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517372; rev:1;) alert tcp $HOME_NET any -> [99.250.64.81] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517373/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517373; rev:1;) alert tcp $HOME_NET any -> [106.105.76.24] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517374/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517374; rev:1;) alert tcp $HOME_NET any -> [108.168.17.23] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517375/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517375; rev:1;) alert tcp $HOME_NET any -> [109.8.197.115] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517376/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517376; rev:1;) alert tcp $HOME_NET any -> [109.69.15.134] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517377/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517377; rev:1;) alert tcp $HOME_NET any -> [109.69.15.140] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517378/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517378; rev:1;) alert tcp $HOME_NET any -> [83.223.27.127] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517353/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517353; rev:1;) alert tcp $HOME_NET any -> [83.233.99.58] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517354/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517354; rev:1;) alert tcp $HOME_NET any -> [84.218.124.234] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517355/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517355; rev:1;) alert tcp $HOME_NET any -> [85.197.178.8] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517356/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517356; rev:1;) alert tcp $HOME_NET any -> [85.197.184.196] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517357/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517357; rev:1;) alert tcp $HOME_NET any -> [85.226.151.8] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517358/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517358; rev:1;) alert tcp $HOME_NET any -> [85.230.218.203] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517359/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517359; rev:1;) alert tcp $HOME_NET any -> [85.231.122.188] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517360/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517360; rev:1;) alert tcp $HOME_NET any -> [85.239.33.160] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517361/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517361; rev:1;) alert tcp $HOME_NET any -> [87.239.29.156] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517362/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517362; rev:1;) alert tcp $HOME_NET any -> [90.141.12.196] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517363/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517363; rev:1;) alert tcp $HOME_NET any -> [90.227.23.168] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517364/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517364; rev:1;) alert tcp $HOME_NET any -> [91.130.48.21] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517365/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517365; rev:1;) alert tcp $HOME_NET any -> [74.221.78.181] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517340/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517340; rev:1;) alert tcp $HOME_NET any -> [74.221.78.187] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517341/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517341; rev:1;) alert tcp $HOME_NET any -> [74.221.78.207] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517342/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517342; rev:1;) alert tcp $HOME_NET any -> [75.155.149.184] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517343/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517343; rev:1;) alert tcp $HOME_NET any -> [76.8.213.131] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517344/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517344; rev:1;) alert tcp $HOME_NET any -> [77.38.177.94] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517345/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517345; rev:1;) alert tcp $HOME_NET any -> [77.38.221.244] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517346/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517346; rev:1;) alert tcp $HOME_NET any -> [78.67.14.89] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517347/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517347; rev:1;) alert tcp $HOME_NET any -> [80.51.119.148] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517348/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517348; rev:1;) alert tcp $HOME_NET any -> [81.224.52.110] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517349/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517349; rev:1;) alert tcp $HOME_NET any -> [81.228.202.52] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517350/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517350; rev:1;) alert tcp $HOME_NET any -> [82.64.145.87] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517351/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517351; rev:1;) alert tcp $HOME_NET any -> [82.199.117.108] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517352/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517352; rev:1;) alert tcp $HOME_NET any -> [74.221.76.86] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517328/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517328; rev:1;) alert tcp $HOME_NET any -> [74.221.76.91] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517329/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517329; rev:1;) alert tcp $HOME_NET any -> [74.221.76.93] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517330/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517330; rev:1;) alert tcp $HOME_NET any -> [74.221.76.96] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517331/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517331; rev:1;) alert tcp $HOME_NET any -> [74.221.76.152] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517332/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517332; rev:1;) alert tcp $HOME_NET any -> [74.221.76.174] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517333/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517333; rev:1;) alert tcp $HOME_NET any -> [74.221.77.137] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517334/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517334; rev:1;) alert tcp $HOME_NET any -> [74.221.77.152] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517335/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517335; rev:1;) alert tcp $HOME_NET any -> [74.221.77.206] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517336/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517336; rev:1;) alert tcp $HOME_NET any -> [74.221.78.131] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517337/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517337; rev:1;) alert tcp $HOME_NET any -> [74.221.78.151] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517338/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517338; rev:1;) alert tcp $HOME_NET any -> [74.221.78.180] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517339/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517339; rev:1;) alert tcp $HOME_NET any -> [74.221.75.126] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517316/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517316; rev:1;) alert tcp $HOME_NET any -> [74.221.76.53] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517317/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517317; rev:1;) alert tcp $HOME_NET any -> [74.221.76.55] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517318/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517318; rev:1;) alert tcp $HOME_NET any -> [74.221.76.68] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517319/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517319; rev:1;) alert tcp $HOME_NET any -> [74.221.76.69] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517320/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517320; rev:1;) alert tcp $HOME_NET any -> [74.221.76.71] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517321/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517321; rev:1;) alert tcp $HOME_NET any -> [74.221.76.74] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517322/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517322; rev:1;) alert tcp $HOME_NET any -> [74.221.76.79] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517323/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517323; rev:1;) alert tcp $HOME_NET any -> [74.221.76.80] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517324/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517324; rev:1;) alert tcp $HOME_NET any -> [74.221.76.82] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517325/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517325; rev:1;) alert tcp $HOME_NET any -> [74.221.76.83] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517326/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517326; rev:1;) alert tcp $HOME_NET any -> [74.221.76.84] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517327/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517327; rev:1;) alert tcp $HOME_NET any -> [74.221.73.117] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517303/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517303; rev:1;) alert tcp $HOME_NET any -> [74.221.73.123] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517304/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517304; rev:1;) alert tcp $HOME_NET any -> [74.221.73.126] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517305/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517305; rev:1;) alert tcp $HOME_NET any -> [74.221.73.249] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517306/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517306; rev:1;) alert tcp $HOME_NET any -> [74.221.75.19] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517307/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517307; rev:1;) alert tcp $HOME_NET any -> [74.221.75.21] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517308/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517308; rev:1;) alert tcp $HOME_NET any -> [74.221.75.69] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517309/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517309; rev:1;) alert tcp $HOME_NET any -> [74.221.75.83] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517310/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517310; rev:1;) alert tcp $HOME_NET any -> [74.221.75.92] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517311/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517311; rev:1;) alert tcp $HOME_NET any -> [74.221.75.108] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517312/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517312; rev:1;) alert tcp $HOME_NET any -> [74.221.75.119] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517313/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517313; rev:1;) alert tcp $HOME_NET any -> [74.221.75.120] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517314/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517314; rev:1;) alert tcp $HOME_NET any -> [74.221.75.122] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517315/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517315; rev:1;) alert tcp $HOME_NET any -> [74.221.71.198] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517291/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517291; rev:1;) alert tcp $HOME_NET any -> [74.221.72.147] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517292/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517292; rev:1;) alert tcp $HOME_NET any -> [74.221.72.183] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517293/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517293; rev:1;) alert tcp $HOME_NET any -> [74.221.73.66] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517294/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517294; rev:1;) alert tcp $HOME_NET any -> [74.221.73.73] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517295/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517295; rev:1;) alert tcp $HOME_NET any -> [74.221.73.80] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517296/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517296; rev:1;) alert tcp $HOME_NET any -> [74.221.73.90] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517297/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517297; rev:1;) alert tcp $HOME_NET any -> [74.221.73.102] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517298/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517298; rev:1;) alert tcp $HOME_NET any -> [74.221.73.103] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517299/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517299; rev:1;) alert tcp $HOME_NET any -> [74.221.73.105] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517300/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517300; rev:1;) alert tcp $HOME_NET any -> [74.221.73.110] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517301/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517301; rev:1;) alert tcp $HOME_NET any -> [74.221.73.116] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517302/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517302; rev:1;) alert tcp $HOME_NET any -> [74.221.64.89] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517278/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517278; rev:1;) alert tcp $HOME_NET any -> [74.221.64.94] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517279/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517279; rev:1;) alert tcp $HOME_NET any -> [74.221.64.95] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517280/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517280; rev:1;) alert tcp $HOME_NET any -> [74.221.67.41] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517281/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517281; rev:1;) alert tcp $HOME_NET any -> [74.221.67.53] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517282/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517282; rev:1;) alert tcp $HOME_NET any -> [74.221.68.81] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517283/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517283; rev:1;) alert tcp $HOME_NET any -> [74.221.69.104] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517284/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517284; rev:1;) alert tcp $HOME_NET any -> [74.221.70.7] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517285/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517285; rev:1;) alert tcp $HOME_NET any -> [74.221.70.11] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517286/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517286; rev:1;) alert tcp $HOME_NET any -> [74.221.71.30] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517287/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517287; rev:1;) alert tcp $HOME_NET any -> [74.221.71.162] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517288/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517288; rev:1;) alert tcp $HOME_NET any -> [74.221.71.170] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517289/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517289; rev:1;) alert tcp $HOME_NET any -> [74.221.71.179] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517290/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517290; rev:1;) alert tcp $HOME_NET any -> [69.18.10.132] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517266/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517266; rev:1;) alert tcp $HOME_NET any -> [69.45.225.218] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517267/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517267; rev:1;) alert tcp $HOME_NET any -> [69.45.225.219] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517268/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517268; rev:1;) alert tcp $HOME_NET any -> [69.45.225.220] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517269/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517269; rev:1;) alert tcp $HOME_NET any -> [69.138.127.249] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517270/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517270; rev:1;) alert tcp $HOME_NET any -> [71.11.235.130] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517271/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517271; rev:1;) alert tcp $HOME_NET any -> [72.9.114.153] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517272/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517272; rev:1;) alert tcp $HOME_NET any -> [72.9.114.232] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517273/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517273; rev:1;) alert tcp $HOME_NET any -> [72.9.121.132] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517274/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517274; rev:1;) alert tcp $HOME_NET any -> [72.9.126.183] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517275/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517275; rev:1;) alert tcp $HOME_NET any -> [72.53.231.104] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517276/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517276; rev:1;) alert tcp $HOME_NET any -> [73.127.130.247] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517277/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517277; rev:1;) alert tcp $HOME_NET any -> [64.89.252.89] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517255/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517255; rev:1;) alert tcp $HOME_NET any -> [64.89.252.92] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517256/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517256; rev:1;) alert tcp $HOME_NET any -> [64.89.253.42] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517257/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517257; rev:1;) alert tcp $HOME_NET any -> [64.89.253.45] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517258/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517258; rev:1;) alert tcp $HOME_NET any -> [64.89.253.80] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517259/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517259; rev:1;) alert tcp $HOME_NET any -> [64.89.253.121] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517260/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517260; rev:1;) alert tcp $HOME_NET any -> [64.89.253.123] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517261/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517261; rev:1;) alert tcp $HOME_NET any -> [64.89.253.204] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517262/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517262; rev:1;) alert tcp $HOME_NET any -> [64.89.254.190] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517263/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517263; rev:1;) alert tcp $HOME_NET any -> [65.87.61.184] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517264/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517264; rev:1;) alert tcp $HOME_NET any -> [68.84.153.228] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517265/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517265; rev:1;) alert tcp $HOME_NET any -> [64.89.249.185] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517242/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517242; rev:1;) alert tcp $HOME_NET any -> [64.89.249.206] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517243/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517243; rev:1;) alert tcp $HOME_NET any -> [64.89.249.242] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517244/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517244; rev:1;) alert tcp $HOME_NET any -> [64.89.250.75] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517245/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517245; rev:1;) alert tcp $HOME_NET any -> [64.89.250.84] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517246/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517246; rev:1;) alert tcp $HOME_NET any -> [64.89.250.101] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517247/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517247; rev:1;) alert tcp $HOME_NET any -> [64.89.251.11] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517248/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517248; rev:1;) alert tcp $HOME_NET any -> [64.89.251.37] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517249/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517249; rev:1;) alert tcp $HOME_NET any -> [64.89.251.107] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517250/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517250; rev:1;) alert tcp $HOME_NET any -> [64.89.251.157] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517251/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517251; rev:1;) alert tcp $HOME_NET any -> [64.89.251.185] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517252/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517252; rev:1;) alert tcp $HOME_NET any -> [64.89.251.186] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517253/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517253; rev:1;) alert tcp $HOME_NET any -> [64.89.251.187] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517254/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517254; rev:1;) alert tcp $HOME_NET any -> [64.89.245.227] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517228/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517228; rev:1;) alert tcp $HOME_NET any -> [64.89.246.4] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517229/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517229; rev:1;) alert tcp $HOME_NET any -> [64.89.246.46] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517230/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517230; rev:1;) alert tcp $HOME_NET any -> [64.89.246.58] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517231/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517231; rev:1;) alert tcp $HOME_NET any -> [64.89.246.171] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517232/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517232; rev:1;) alert tcp $HOME_NET any -> [64.89.247.67] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517233/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517233; rev:1;) alert tcp $HOME_NET any -> [64.89.247.112] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517234/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517234; rev:1;) alert tcp $HOME_NET any -> [64.89.247.131] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517235/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517235; rev:1;) alert tcp $HOME_NET any -> [64.89.247.196] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517236/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517236; rev:1;) alert tcp $HOME_NET any -> [64.89.247.198] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517237/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517237; rev:1;) alert tcp $HOME_NET any -> [64.89.248.142] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517238/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517238; rev:1;) alert tcp $HOME_NET any -> [64.89.248.178] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517239/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517239; rev:1;) alert tcp $HOME_NET any -> [64.89.248.203] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517240/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517240; rev:1;) alert tcp $HOME_NET any -> [64.89.248.234] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517241/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517241; rev:1;) alert tcp $HOME_NET any -> [64.89.243.93] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517216/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517216; rev:1;) alert tcp $HOME_NET any -> [64.89.243.114] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517217/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517217; rev:1;) alert tcp $HOME_NET any -> [64.89.243.122] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517218/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517218; rev:1;) alert tcp $HOME_NET any -> [64.89.243.238] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517219/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517219; rev:1;) alert tcp $HOME_NET any -> [64.89.244.2] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517220/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517220; rev:1;) alert tcp $HOME_NET any -> [64.89.244.47] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517221/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517221; rev:1;) alert tcp $HOME_NET any -> [64.89.244.90] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517222/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517222; rev:1;) alert tcp $HOME_NET any -> [64.89.244.125] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517223/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517223; rev:1;) alert tcp $HOME_NET any -> [64.89.244.163] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517224/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517224; rev:1;) alert tcp $HOME_NET any -> [64.89.244.172] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517225/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517225; rev:1;) alert tcp $HOME_NET any -> [64.89.244.181] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517226/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517226; rev:1;) alert tcp $HOME_NET any -> [64.89.244.184] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517227/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517227; rev:1;) alert tcp $HOME_NET any -> [64.89.241.12] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517202/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517202; rev:1;) alert tcp $HOME_NET any -> [64.89.241.36] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517203/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517203; rev:1;) alert tcp $HOME_NET any -> [64.89.241.202] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517204/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517204; rev:1;) alert tcp $HOME_NET any -> [64.89.241.210] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517205/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517205; rev:1;) alert tcp $HOME_NET any -> [64.89.241.212] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517206/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517206; rev:1;) alert tcp $HOME_NET any -> [64.89.241.217] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517207/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517207; rev:1;) alert tcp $HOME_NET any -> [64.89.241.218] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517208/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517208; rev:1;) alert tcp $HOME_NET any -> [64.89.241.220] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517209/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517209; rev:1;) alert tcp $HOME_NET any -> [64.89.241.222] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517210/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517210; rev:1;) alert tcp $HOME_NET any -> [64.89.241.234] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517211/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517211; rev:1;) alert tcp $HOME_NET any -> [64.89.243.51] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517212/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517212; rev:1;) alert tcp $HOME_NET any -> [64.89.243.53] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517213/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517213; rev:1;) alert tcp $HOME_NET any -> [64.89.243.62] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517214/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517214; rev:1;) alert tcp $HOME_NET any -> [64.89.243.91] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517215/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517215; rev:1;) alert tcp $HOME_NET any -> [59.148.115.109] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517189/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517189; rev:1;) alert tcp $HOME_NET any -> [59.149.184.223] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517190/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517190; rev:1;) alert tcp $HOME_NET any -> [61.239.102.47] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517191/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517191; rev:1;) alert tcp $HOME_NET any -> [61.239.241.35] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517192/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517192; rev:1;) alert tcp $HOME_NET any -> [64.72.55.47] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517193/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517193; rev:1;) alert tcp $HOME_NET any -> [64.89.240.117] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517194/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517194; rev:1;) alert tcp $HOME_NET any -> [64.89.240.123] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517195/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517195; rev:1;) alert tcp $HOME_NET any -> [64.89.240.169] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517196/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517196; rev:1;) alert tcp $HOME_NET any -> [64.89.240.171] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517197/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517197; rev:1;) alert tcp $HOME_NET any -> [64.89.240.173] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517198/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517198; rev:1;) alert tcp $HOME_NET any -> [64.89.240.183] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517199/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517199; rev:1;) alert tcp $HOME_NET any -> [64.89.240.190] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517200/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517200; rev:1;) alert tcp $HOME_NET any -> [64.89.240.198] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517201/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517201; rev:1;) alert tcp $HOME_NET any -> [38.54.71.20] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517178/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517178; rev:1;) alert tcp $HOME_NET any -> [38.85.167.3] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517179/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517179; rev:1;) alert tcp $HOME_NET any -> [41.216.189.170] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517180/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517180; rev:1;) alert tcp $HOME_NET any -> [45.8.161.254] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517181/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517181; rev:1;) alert tcp $HOME_NET any -> [45.11.229.248] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517182/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517182; rev:1;) alert tcp $HOME_NET any -> [45.50.221.254] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517183/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517183; rev:1;) alert tcp $HOME_NET any -> [45.154.38.94] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517184/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517184; rev:1;) alert tcp $HOME_NET any -> [46.36.74.122] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517185/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517185; rev:1;) alert tcp $HOME_NET any -> [57.138.218.16] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517186/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517186; rev:1;) alert tcp $HOME_NET any -> [58.152.227.100] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517187/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517187; rev:1;) alert tcp $HOME_NET any -> [58.177.4.245] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517188/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517188; rev:1;) alert tcp $HOME_NET any -> [5.57.243.106] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517165/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517165; rev:1;) alert tcp $HOME_NET any -> [14.53.228.71] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517166/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517166; rev:1;) alert tcp $HOME_NET any -> [24.48.18.64] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517167/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517167; rev:1;) alert tcp $HOME_NET any -> [24.224.176.17] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517168/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517168; rev:1;) alert tcp $HOME_NET any -> [24.224.185.147] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517169/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517169; rev:1;) alert tcp $HOME_NET any -> [24.234.90.194] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517170/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517170; rev:1;) alert tcp $HOME_NET any -> [31.28.4.146] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517171/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517171; rev:1;) alert tcp $HOME_NET any -> [31.44.225.220] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517172/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517172; rev:1;) alert tcp $HOME_NET any -> [31.44.229.84] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517173/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517173; rev:1;) alert tcp $HOME_NET any -> [31.44.230.191] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517174/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517174; rev:1;) alert tcp $HOME_NET any -> [31.208.4.144] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517175/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517175; rev:1;) alert tcp $HOME_NET any -> [38.2.39.210] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517176/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517176; rev:1;) alert tcp $HOME_NET any -> [38.2.40.166] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517177/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517177; rev:1;) alert tcp $HOME_NET any -> [2.133.254.229] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517163/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517163; rev:1;) alert tcp $HOME_NET any -> [5.57.242.144] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517164/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517164; rev:1;) alert tcp $HOME_NET any -> [69.165.70.166] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517157; rev:1;) alert tcp $HOME_NET any -> [154.53.165.98] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517156; rev:1;) alert tcp $HOME_NET any -> [13.115.238.27] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517155; rev:1;) alert tcp $HOME_NET any -> [103.57.251.96] 2096 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517154; rev:1;) alert tcp $HOME_NET any -> [212.224.107.135] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517153; rev:1;) alert tcp $HOME_NET any -> [176.65.144.114] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517152; rev:1;) alert tcp $HOME_NET any -> [45.135.180.12] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517151; rev:1;) alert tcp $HOME_NET any -> [196.251.71.236] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517149; rev:1;) alert tcp $HOME_NET any -> [196.251.71.236] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517150; rev:1;) alert tcp $HOME_NET any -> [94.237.83.115] 4443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517148; rev:1;) alert tcp $HOME_NET any -> [134.209.189.235] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517147; rev:1;) alert tcp $HOME_NET any -> [154.30.4.223] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517146; rev:1;) alert tcp $HOME_NET any -> [8.130.12.218] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517145; rev:1;) alert tcp $HOME_NET any -> [39.100.69.50] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517143; rev:1;) alert tcp $HOME_NET any -> [171.213.129.161] 33300 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517144; rev:1;) alert tcp $HOME_NET any -> [194.62.248.235] 777 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517141; rev:1;) alert tcp $HOME_NET any -> [198.251.81.118] 59669 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517142; rev:1;) alert tcp $HOME_NET any -> [45.90.12.104] 1338 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517136; rev:1;) alert tcp $HOME_NET any -> [51.81.100.197] 777 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517137; rev:1;) alert tcp $HOME_NET any -> [51.81.100.197] 4123 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517138; rev:1;) alert tcp $HOME_NET any -> [51.81.100.197] 8080 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517139; rev:1;) alert tcp $HOME_NET any -> [194.62.248.235] 4123 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517140; rev:1;) alert tcp $HOME_NET any -> [185.14.92.111] 10000 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517131; rev:1;) alert tcp $HOME_NET any -> [147.135.3.193] 7070 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517132; rev:1;) alert tcp $HOME_NET any -> [77.239.114.204] 10000 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517133; rev:1;) alert tcp $HOME_NET any -> [77.105.146.126] 7777 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517134; rev:1;) alert tcp $HOME_NET any -> [78.40.116.170] 25565 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517135; rev:1;) alert tcp $HOME_NET any -> [172.65.150.137] 22 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517126; rev:1;) alert tcp $HOME_NET any -> [83.168.69.117] 22 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517127; rev:1;) alert tcp $HOME_NET any -> [15.204.12.151] 1337 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517128; rev:1;) alert tcp $HOME_NET any -> [94.156.170.148] 10000 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517129; rev:1;) alert tcp $HOME_NET any -> [45.90.12.81] 6969 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517130; rev:1;) alert tcp $HOME_NET any -> [82.27.2.184] 10000 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517122; rev:1;) alert tcp $HOME_NET any -> [209.141.38.239] 1337 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517123; rev:1;) alert tcp $HOME_NET any -> [198.251.81.96] 1337 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517124; rev:1;) alert tcp $HOME_NET any -> [178.236.244.39] 40138 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profilelayout"; depth:14; nocase; http.host; content:"email.gwlawgroupattorneys.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"pumatools.hu"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517091/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blzqq.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517105; rev:1;) alert tcp $HOME_NET any -> [23.146.184.108] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 95%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/wp-file-upload/zaroci.php"; depth:45; nocase; http.host; content:"kdsigncreation.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1517107/; target:src_ip; metadata: confidence_level 95, first_seen 2025_05_06; classtype:trojan-activity; sid:91517107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xfgvj.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"email.gwlawgroupattorneys.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cecilioc2.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wvnqb.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517115; rev:1;) alert tcp $HOME_NET any -> [217.156.123.148] 443 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517112; rev:1;) alert tcp $HOME_NET any -> [217.156.123.150] 443 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517113; rev:1;) alert tcp $HOME_NET any -> [176.65.141.32] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517111/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517111; rev:1;) alert tcp $HOME_NET any -> [114.66.58.218] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517110/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qweznxplkudrmcvasjthoby.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517109/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517109; rev:1;) alert tcp $HOME_NET any -> [85.239.33.253] 9000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517104; rev:1;) alert tcp $HOME_NET any -> [77.83.207.24] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517103; rev:1;) alert tcp $HOME_NET any -> [34.68.63.205] 3389 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517102; rev:1;) alert tcp $HOME_NET any -> [102.117.173.199] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517099; rev:1;) alert tcp $HOME_NET any -> [165.22.227.238] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517100; rev:1;) alert tcp $HOME_NET any -> [103.134.22.156] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517101; rev:1;) alert tcp $HOME_NET any -> [196.251.117.147] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517098; rev:1;) alert tcp $HOME_NET any -> [104.243.254.107] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517097; rev:1;) alert tcp $HOME_NET any -> [27.102.127.137] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517095; rev:1;) alert tcp $HOME_NET any -> [154.30.4.199] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517096; rev:1;) alert tcp $HOME_NET any -> [185.244.30.103] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517094; rev:1;) alert tcp $HOME_NET any -> [118.178.227.25] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517092; rev:1;) alert tcp $HOME_NET any -> [47.109.82.220] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidden.sh"; depth:10; nocase; http.host; content:"91.208.206.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516556/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516556; rev:1;) alert tcp $HOME_NET any -> [34.32.58.81] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517088; rev:1;) alert tcp $HOME_NET any -> [34.51.181.116] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517087; rev:1;) alert tcp $HOME_NET any -> [64.188.96.35] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517089; rev:1;) alert tcp $HOME_NET any -> [122.116.204.121] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517090/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91517090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serholders.pro"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"statisticapp.asia"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wallsekker.store"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"miauwonderland.help"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hdkxbax.click"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517082; rev:1;) alert tcp $HOME_NET any -> [193.186.4.126] 49419 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517081/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517081; rev:1;) alert tcp $HOME_NET any -> [154.39.0.186] 4488 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517078; rev:1;) alert tcp $HOME_NET any -> [154.39.0.186] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517079; rev:1;) alert tcp $HOME_NET any -> [216.9.225.163] 54040 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517080; rev:1;) alert tcp $HOME_NET any -> [196.251.69.149] 8002 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517077; rev:1;) alert tcp $HOME_NET any -> [196.251.69.149] 8001 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517075; rev:1;) alert tcp $HOME_NET any -> [5.249.160.134] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517076; rev:1;) alert tcp $HOME_NET any -> [154.39.0.186] 6666 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517073; rev:1;) alert tcp $HOME_NET any -> [62.60.226.140] 30305 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517074; rev:1;) alert tcp $HOME_NET any -> [185.241.208.118] 9683 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517070/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517070; rev:1;) alert tcp $HOME_NET any -> [185.196.9.68] 27374 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517071/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517071; rev:1;) alert tcp $HOME_NET any -> [37.120.151.102] 27374 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"appxxssvc.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sys99.mooo.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517065/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guest-visiting.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517066/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"preplyg.preplyg.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anuel123.kozow.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stchimuss.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0kul-62391.portmap.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"starefer8jabour2.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517059/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"remotegrace25.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517060/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reconciliacion6meses3.duckdns.org"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finalrem.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bnmaks.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517063/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cestfinidns.vip"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517064/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aljob24.3utilities.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517052/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.rickscottflorida.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517053/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"starefer8jabour4.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"starefer8jabour3.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"starefer8jabour1.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1517056/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"medo7as.duckdns.org"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1517050/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"2448-217-164-80-34.ngrok-free.app"; depth:33; nocase; reference:url, threatfox.abuse.ch/ioc/1517051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517051; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 16347 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517045/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517045; rev:1;) alert tcp $HOME_NET any -> [31.57.97.8] 443 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517046/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517046; rev:1;) alert tcp $HOME_NET any -> [23.95.63.196] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517047/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517047; rev:1;) alert tcp $HOME_NET any -> [31.57.97.8] 3333 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517048/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517048; rev:1;) alert tcp $HOME_NET any -> [194.59.31.36] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517049; rev:1;) alert tcp $HOME_NET any -> [104.28.244.231] 63378 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517038/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517038; rev:1;) alert tcp $HOME_NET any -> [94.26.90.81] 7774 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517039/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517039; rev:1;) alert tcp $HOME_NET any -> [45.138.16.71] 1522 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517040/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517040; rev:1;) alert tcp $HOME_NET any -> [103.217.111.54] 7771 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517041/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517041; rev:1;) alert tcp $HOME_NET any -> [37.1.210.16] 5552 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517042/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517042; rev:1;) alert tcp $HOME_NET any -> [104.168.32.88] 1001 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517043/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517043; rev:1;) alert tcp $HOME_NET any -> [45.154.98.79] 9000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517044/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517044; rev:1;) alert tcp $HOME_NET any -> [194.59.30.200] 1684 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517030; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 8888 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517031; rev:1;) alert tcp $HOME_NET any -> [84.241.201.218] 8090 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517032; rev:1;) alert tcp $HOME_NET any -> [23.137.100.54] 4281 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517033/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517033; rev:1;) alert tcp $HOME_NET any -> [77.105.164.112] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517034/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517034; rev:1;) alert tcp $HOME_NET any -> [37.235.156.47] 1488 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517035/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517035; rev:1;) alert tcp $HOME_NET any -> [146.103.38.9] 2467 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517036/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517036; rev:1;) alert tcp $HOME_NET any -> [46.8.194.222] 4040 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517037/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517037; rev:1;) alert tcp $HOME_NET any -> [94.111.48.173] 443 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517022; rev:1;) alert tcp $HOME_NET any -> [143.244.39.10] 1234 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517023; rev:1;) alert tcp $HOME_NET any -> [89.190.158.16] 443 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517024/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517024; rev:1;) alert tcp $HOME_NET any -> [208.91.189.14] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517025/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517025; rev:1;) alert tcp $HOME_NET any -> [193.158.181.218] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517026/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517026; rev:1;) alert tcp $HOME_NET any -> [185.243.99.45] 5000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517027/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517027; rev:1;) alert tcp $HOME_NET any -> [107.172.44.175] 1889 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517028/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517028; rev:1;) alert tcp $HOME_NET any -> [206.119.52.249] 6888 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517029; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 24615 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517013; rev:1;) alert tcp $HOME_NET any -> [197.48.206.37] 5505 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517014/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517014; rev:1;) alert tcp $HOME_NET any -> [134.175.85.30] 8999 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517015/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517015; rev:1;) alert tcp $HOME_NET any -> [192.241.152.251] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517016; rev:1;) alert tcp $HOME_NET any -> [216.219.83.116] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517017; rev:1;) alert tcp $HOME_NET any -> [196.251.81.30] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517018; rev:1;) alert tcp $HOME_NET any -> [86.176.87.131] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517019; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 61136 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517020; rev:1;) alert tcp $HOME_NET any -> [107.175.65.160] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517021; rev:1;) alert tcp $HOME_NET any -> [104.28.212.228] 2137 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517007; rev:1;) alert tcp $HOME_NET any -> [45.80.158.80] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517008; rev:1;) alert tcp $HOME_NET any -> [147.185.221.22] 6666 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517009; rev:1;) alert tcp $HOME_NET any -> [94.26.90.81] 6663 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517010; rev:1;) alert tcp $HOME_NET any -> [176.96.138.105] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517011; rev:1;) alert tcp $HOME_NET any -> [178.228.11.184] 8090 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517012; rev:1;) alert tcp $HOME_NET any -> [185.208.158.139] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516999/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516999; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 31149 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517000/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517000; rev:1;) alert tcp $HOME_NET any -> [89.23.100.148] 4790 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517001/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517001; rev:1;) alert tcp $HOME_NET any -> [89.117.49.234] 4322 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517002/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517002; rev:1;) alert tcp $HOME_NET any -> [85.203.4.241] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517003/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517003; rev:1;) alert tcp $HOME_NET any -> [80.85.154.131] 2618 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517004/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517004; rev:1;) alert tcp $HOME_NET any -> [194.59.31.249] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517005; rev:1;) alert tcp $HOME_NET any -> [141.95.59.234] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1517006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91517006; rev:1;) alert tcp $HOME_NET any -> [45.201.0.219] 1000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516990/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516990; rev:1;) alert tcp $HOME_NET any -> [3.17.160.56] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516991/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516991; rev:1;) alert tcp $HOME_NET any -> [147.45.78.193] 9000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516992/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516992; rev:1;) alert tcp $HOME_NET any -> [91.202.25.209] 5552 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516993/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516993; rev:1;) alert tcp $HOME_NET any -> [147.185.221.25] 63795 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516994/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516994; rev:1;) alert tcp $HOME_NET any -> [108.181.199.16] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516995/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516995; rev:1;) alert tcp $HOME_NET any -> [185.208.156.210] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516996; rev:1;) alert tcp $HOME_NET any -> [104.28.212.228] 36691 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516997/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516997; rev:1;) alert tcp $HOME_NET any -> [38.68.49.121] 7777 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516998/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516998; rev:1;) alert tcp $HOME_NET any -> [147.185.221.24] 53983 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516982/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516982; rev:1;) alert tcp $HOME_NET any -> [193.26.115.44] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516983/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516983; rev:1;) alert tcp $HOME_NET any -> [92.119.178.3] 52663 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516984/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516984; rev:1;) alert tcp $HOME_NET any -> [46.226.167.193] 9000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516985/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516985; rev:1;) alert tcp $HOME_NET any -> [45.133.251.174] 9000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516986/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516986; rev:1;) alert tcp $HOME_NET any -> [85.203.4.56] 4444 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516987/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516987; rev:1;) alert tcp $HOME_NET any -> [41.250.150.18] 9321 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516988/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516988; rev:1;) alert tcp $HOME_NET any -> [185.254.97.125] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516989/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516989; rev:1;) alert tcp $HOME_NET any -> [44.244.152.122] 3989 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516974/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516974; rev:1;) alert tcp $HOME_NET any -> [146.103.25.63] 2467 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516975/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516975; rev:1;) alert tcp $HOME_NET any -> [87.251.78.226] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516976/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516976; rev:1;) alert tcp $HOME_NET any -> [149.22.84.147] 1255 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516977/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516977; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 5059 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516978/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516978; rev:1;) alert tcp $HOME_NET any -> [147.185.221.22] 21456 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516979/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516979; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 37005 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516980/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516980; rev:1;) alert tcp $HOME_NET any -> [185.241.208.97] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516981/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516981; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 14606 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516970/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516970; rev:1;) alert tcp $HOME_NET any -> [80.76.49.30] 420 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516971/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516971; rev:1;) alert tcp $HOME_NET any -> [61.69.170.155] 1255 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516972/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516972; rev:1;) alert tcp $HOME_NET any -> [104.194.144.105] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516973/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"focus-burn.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516965/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gallery-chevy.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516966/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"match-amounts.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516967/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unless-agreement.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516968/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anyad-60069.portmap.io"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516969/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"group-linking.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516953/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test-mineral.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516954/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bank-material.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516955/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"winservicesconsole.duckdns.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516956/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sources-trap.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516957/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iraq-roses.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516958/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taking-oval.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516959/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neprobiesh-64818.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516960/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"startupsdata10.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516961/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dark-wikipedia.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516962/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"martin-melbourne.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516963/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gousa-53644.portmap.io"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516964/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"american-escorts.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516942/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"me071949-22956.portmap.io"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516943/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gegesantx7.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516944/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"friend-paintball.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516945/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"when-venture.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516946/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"texas-convention.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516947/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pictures-dealing.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516948/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reviews-respondent.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516949/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r-exploring.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516950/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"very-programming.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516951/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"strategy-flexible.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516952/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"overview-force.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516934/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fastshopin-26131.portmap.io"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vafob72392-38954.portmap.io"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"note-horizon.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"required-algeria.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516938/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"natural-steam.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"purchase-meat.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516940/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"minecraft.ieciqec.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516941/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"or-observed.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516932/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flowers-christina.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"types-reload.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"najatif831-54659.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"analysis-closure.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516923/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"road-suffer.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stuff-spectacular.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anongroup.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xv5600.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"put-constant.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"china-fees.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"writing-adjustable.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9kbfitvdha-32409.portmap.io"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516931/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nartixsxsxs.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516910/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"near-obesity.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516911/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"export1.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516912/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"printer-refrigerator.gl.at.ply.gg"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516913/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"httpss.ooguy.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516914/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klm22.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516915/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"port-clone.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"washedbrain0002-64745.portmap.io"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"registration-ranger.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uses-royal.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"field-alpha.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"companies-holdings.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516901/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ssa-gov-windows.us"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516902/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dnsuo.ddns.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516903/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xofx.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516904/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tree-tm.gl.at.ply.gg"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516905/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"australia-thehun.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516906/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dokuru-32085.portmap.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516907/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tojdorx77bc9-36404.portmap.io"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516908/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"copy-love.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516909/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"distribution-rc.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516892/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"downloads-supplements.gl.at.ply.gg"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516893/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adsadsadsdasdasd-53010.portmap.io"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516894/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"garuda09.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516895/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pdfnmsal.freeddns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516896/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"send-violations.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516897/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"areas-instrument.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516898/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"building-waves.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516899/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"item-istanbul.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516900/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"min-telling.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516881/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"say-bidding.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516882/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bobrohost.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516883/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"since-vic.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516884/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thecoolboy123123-35227.portmap.host"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516885/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"garfield2-33988.portmap.io"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516886/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windows-std.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516887/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"city-impact.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516888/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hall-pn.gl.at.ply.gg"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516889/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"insurance-favors.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516890/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"basis-gordon.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516891/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanai991-32051.portmap.io"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516869/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"improve-volt.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516870/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"printer-lucky.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516871/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deadbird8524-37163.portmap.io"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516872/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"risk-illness.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516873/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epicskillforge.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516874/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"washington-pix.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516875/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lin.yk99999.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516876/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"old-knight.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516877/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sun-exterior.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516878/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fixed-stretch.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516879/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"career-paperbacks.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516880/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7475087682:aaefjpwc86axzuoy9hveol7czhkkwwdwm7o/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516863/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"right-lecture.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516864/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"owners-encryption.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516865/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"present-wanna.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516866/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ks-amk.ply.gg"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516867/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"park-by.gl.at.ply.gg"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516868/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7031368257:aaeayml3gtyo32u31gsczvzhj0rb5ftsrbk/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516859/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7578329923:aah1ybgpmcw1hvrifhwov539cm6iotqhmyc/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516860/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot8177260835:aaexcx28dtj7-ekiv0s5tzm7zodxfqwk_8g/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516861/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot8106600591:aafkno73mttmquvi4fbdge7hd2h7fnow8eg/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516862/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7257760192:aafclyomarwxkiacr3573mwqd62mbd_exga/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516855/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot8059363624:aaehjaugtlx1v9c5izrlqpmja3ohatur0dk/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516856/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7782647045:aafm7l8c4taxj7d8a7frs8cjldxtbtkqtuo/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516857/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7478550442:aaffrjvuksvqtqxd68jniel-6ltquioajxw/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516858/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7949886343:aagsy11p4zibypc60ami_h8lcuqaownmce8/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516853/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7927310401:aahyddhi3rmvkvydrbqwj5u-p3hnxcqb_r4/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516854/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7787815780:aagtfucdrymu2i4vc1dnyoe2s3p1zhdbepi/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516851/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7740014778:aahvv4io_jup_5zn94wzwkib3odsdxvrsjm/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516852/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"become-solution.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516846/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ayudahumanitaria20252025petro.duckdns.org"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516847/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"keryanarch.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516848/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nawaf619-63560.portmap.io"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516849/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"farids.casacam.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516850/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"said-closure.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516837/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"px01nathan.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516838/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wefdfdfdffgdfgf-23752.portmap.io"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516839/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"january-proposal.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516840/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"membership-med.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516841/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"collection-math.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516842/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"character-answered.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516843/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loan-can.gl.at.ply.gg"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516844/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marsh3131.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516845/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"block-monthly.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516828/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"department-vista.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516829/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"everyone-lit.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516830/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"find-foul.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516831/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naiem.giize.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516832/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wakomi5046-28036.portmap.io"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516833/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klarkgabi.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516834/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jun-changing.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516835/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"my-premises.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516836/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdtdias2025.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516821/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mikerus69.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516822/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bart2025.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516823/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ujkds.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516824/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"note-russia.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516825/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"genius22015-45242.portmap.io"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516826/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aula012.accesscam.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516827/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naomedeletecarai.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516813/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdt2024.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516814/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"security-skating.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516815/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kdhsna.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516816/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emobotnet.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516817/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"envio28.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516818/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"genius22015-33944.portmap.io"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516819/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bush-suits.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516820/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aula01.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516811/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vaitomarnoanel.webredirect.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516812/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516812; rev:1;) alert tcp $HOME_NET any -> [26.252.73.241] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516808/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516808; rev:1;) alert tcp $HOME_NET any -> [176.65.134.80] 4447 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516809/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516809; rev:1;) alert tcp $HOME_NET any -> [91.215.202.4] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516810/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516810; rev:1;) alert tcp $HOME_NET any -> [79.127.246.68] 23451 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516805/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516805; rev:1;) alert tcp $HOME_NET any -> [87.121.103.228] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516806/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516806; rev:1;) alert tcp $HOME_NET any -> [70.93.125.101] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516807/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516807; rev:1;) alert tcp $HOME_NET any -> [66.113.31.17] 21 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516802/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516802; rev:1;) alert tcp $HOME_NET any -> [85.203.4.56] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516803/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516803; rev:1;) alert tcp $HOME_NET any -> [200.223.103.60] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516804/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516804; rev:1;) alert tcp $HOME_NET any -> [45.190.102.144] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516793/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516793; rev:1;) alert tcp $HOME_NET any -> [154.197.69.148] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516794/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516794; rev:1;) alert tcp $HOME_NET any -> [185.94.29.209] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516795/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516795; rev:1;) alert tcp $HOME_NET any -> [85.203.4.56] 1834 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516796/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516796; rev:1;) alert tcp $HOME_NET any -> [185.27.134.137] 21 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516797/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516797; rev:1;) alert tcp $HOME_NET any -> [70.93.125.101] 1910 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516798/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516798; rev:1;) alert tcp $HOME_NET any -> [176.65.144.121] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516799/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516799; rev:1;) alert tcp $HOME_NET any -> [184.90.251.249] 4455 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516800/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516800; rev:1;) alert tcp $HOME_NET any -> [136.144.165.163] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516801/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516801; rev:1;) alert tcp $HOME_NET any -> [80.64.16.35] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516788/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516788; rev:1;) alert tcp $HOME_NET any -> [104.238.23.6] 3232 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516789/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516789; rev:1;) alert tcp $HOME_NET any -> [45.190.102.144] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516790/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516790; rev:1;) alert tcp $HOME_NET any -> [37.114.41.201] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516791/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516791; rev:1;) alert tcp $HOME_NET any -> [81.109.5.62] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516792/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516792; rev:1;) alert tcp $HOME_NET any -> [81.10.54.124] 6969 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516781/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516781; rev:1;) alert tcp $HOME_NET any -> [70.93.125.101] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516782/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516782; rev:1;) alert tcp $HOME_NET any -> [1.2.1.4] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516783/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516783; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 25036 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516784/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516784; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 2020 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516785/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516785; rev:1;) alert tcp $HOME_NET any -> [185.165.241.219] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516786/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516786; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 21812 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516787/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516787; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 9586 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516774/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516774; rev:1;) alert tcp $HOME_NET any -> [216.244.84.181] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516775/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516775; rev:1;) alert tcp $HOME_NET any -> [88.214.48.26] 1414 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516776/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516776; rev:1;) alert tcp $HOME_NET any -> [26.252.73.241] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516777/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516777; rev:1;) alert tcp $HOME_NET any -> [196.251.115.13] 2024 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516778/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516778; rev:1;) alert tcp $HOME_NET any -> [26.252.73.241] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516779/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516779; rev:1;) alert tcp $HOME_NET any -> [80.64.16.35] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516780/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516780; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 5000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516769/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516769; rev:1;) alert tcp $HOME_NET any -> [209.145.53.198] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516770/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516770; rev:1;) alert tcp $HOME_NET any -> [94.54.4.95] 1111 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516771/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516771; rev:1;) alert tcp $HOME_NET any -> [79.127.246.68] 32452 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516772/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516772; rev:1;) alert tcp $HOME_NET any -> [147.185.221.26] 30496 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516773/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516773; rev:1;) alert tcp $HOME_NET any -> [13.53.182.212] 3939 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516764/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516764; rev:1;) alert tcp $HOME_NET any -> [82.6.188.15] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516765/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516765; rev:1;) alert tcp $HOME_NET any -> [80.64.16.35] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516766/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516766; rev:1;) alert tcp $HOME_NET any -> [147.185.221.26] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516767/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516767; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516768/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516768; rev:1;) alert tcp $HOME_NET any -> [185.94.29.209] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516758/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516758; rev:1;) alert tcp $HOME_NET any -> [91.215.202.4] 81 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516759/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516759; rev:1;) alert tcp $HOME_NET any -> [31.58.91.75] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516760/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516760; rev:1;) alert tcp $HOME_NET any -> [37.114.41.201] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516761/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516761; rev:1;) alert tcp $HOME_NET any -> [196.251.118.41] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516762/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516762; rev:1;) alert tcp $HOME_NET any -> [1.2.1.4] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516763/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516763; rev:1;) alert tcp $HOME_NET any -> [196.251.118.41] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516750/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516750; rev:1;) alert tcp $HOME_NET any -> [184.90.251.249] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516751/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516751; rev:1;) alert tcp $HOME_NET any -> [154.29.79.7] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516752/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516752; rev:1;) alert tcp $HOME_NET any -> [178.83.80.11] 8100 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516753/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516753; rev:1;) alert tcp $HOME_NET any -> [37.114.41.201] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516754/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516754; rev:1;) alert tcp $HOME_NET any -> [185.93.69.20] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516755/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516755; rev:1;) alert tcp $HOME_NET any -> [196.251.118.41] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516756/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516756; rev:1;) alert tcp $HOME_NET any -> [70.93.125.101] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516757/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516757; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 38046 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516744/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516744; rev:1;) alert tcp $HOME_NET any -> [87.121.103.228] 3785 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516745/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516745; rev:1;) alert tcp $HOME_NET any -> [185.94.29.209] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516746/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516746; rev:1;) alert tcp $HOME_NET any -> [196.251.118.41] 4447 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516747/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516747; rev:1;) alert tcp $HOME_NET any -> [185.165.241.219] 45 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516748/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516748; rev:1;) alert tcp $HOME_NET any -> [185.27.134.137] 7547 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516749/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"e60ec1657863c38b65e813d3e5822d46.serveo.net"; depth:43; nocase; reference:url, threatfox.abuse.ch/ioc/1516743/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vqbondiscord/6e1c57695b6ab6f4fbfafc5ccb2b46a8/raw/daa86a214070c5ad926ce7ac19c925a8475b5285/backupserverinfo.txt"; depth:112; nocase; http.host; content:"gist.githubusercontent.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516742/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516742; rev:1;) alert tcp $HOME_NET any -> [143.244.39.10] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516738/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516738; rev:1;) alert tcp $HOME_NET any -> [26.214.10.127] 1604 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516739/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516739; rev:1;) alert tcp $HOME_NET any -> [45.61.169.197] 30 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516740/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516740; rev:1;) alert tcp $HOME_NET any -> [174.61.118.194] 4872 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516741/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516741; rev:1;) alert tcp $HOME_NET any -> [47.92.222.219] 33251 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516731/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516731; rev:1;) alert tcp $HOME_NET any -> [80.76.49.30] 3535 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516732/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516732; rev:1;) alert tcp $HOME_NET any -> [26.214.10.127] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516733/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516733; rev:1;) alert tcp $HOME_NET any -> [176.126.103.171] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516734/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516734; rev:1;) alert tcp $HOME_NET any -> [139.99.66.103] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516735/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516735; rev:1;) alert tcp $HOME_NET any -> [51.91.251.234] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516736/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516736; rev:1;) alert tcp $HOME_NET any -> [74.128.84.83] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516737/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516737; rev:1;) alert tcp $HOME_NET any -> [182.253.58.227] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516723; rev:1;) alert tcp $HOME_NET any -> [94.26.90.81] 5437 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516724/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516724; rev:1;) alert tcp $HOME_NET any -> [78.101.165.174] 55847 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516725/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516725; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 45572 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516726/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516726; rev:1;) alert tcp $HOME_NET any -> [94.26.90.81] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516727/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516727; rev:1;) alert tcp $HOME_NET any -> [45.51.59.242] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516728/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516728; rev:1;) alert tcp $HOME_NET any -> [193.151.108.40] 6666 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516729/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516729; rev:1;) alert tcp $HOME_NET any -> [151.236.21.144] 10212 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516730/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516730; rev:1;) alert tcp $HOME_NET any -> [178.255.126.210] 1234 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516715/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516715; rev:1;) alert tcp $HOME_NET any -> [213.209.143.58] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516716/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516716; rev:1;) alert tcp $HOME_NET any -> [82.15.146.164] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516717/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516717; rev:1;) alert tcp $HOME_NET any -> [143.244.39.16] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516718/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516718; rev:1;) alert tcp $HOME_NET any -> [45.51.59.242] 5900 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516719/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516719; rev:1;) alert tcp $HOME_NET any -> [147.185.221.28] 6965 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516720/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516720; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 57598 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516721; rev:1;) alert tcp $HOME_NET any -> [143.244.39.10] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516722/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516722; rev:1;) alert tcp $HOME_NET any -> [45.51.59.242] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516707/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516707; rev:1;) alert tcp $HOME_NET any -> [195.177.94.169] 3434 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516708/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516708; rev:1;) alert tcp $HOME_NET any -> [176.65.142.12] 2633 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516709/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516709; rev:1;) alert tcp $HOME_NET any -> [86.11.53.138] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516710/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516710; rev:1;) alert tcp $HOME_NET any -> [94.26.90.81] 7772 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516711/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516711; rev:1;) alert tcp $HOME_NET any -> [100.96.1.217] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516712/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516712; rev:1;) alert tcp $HOME_NET any -> [100.75.67.51] 9999 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516713/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516713; rev:1;) alert tcp $HOME_NET any -> [3.88.227.97] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516714/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516714; rev:1;) alert tcp $HOME_NET any -> [82.15.146.164] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516706/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amirfifi-50469.portmap.io"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516699/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nortfbihell-46887.portmap.io"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516700/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"win-scanners.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516701/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lines-register.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516702/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manager-cargo.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516703/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kit-step.gl.at.ply.gg"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516704/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scriptdagoat-21700.portmap.io"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516705/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ed-differ.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haygulle.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"notarattertrustme-30227.portmap.io"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rreaper-32501.portmap.io"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"contact-trains.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bobrossisverysigma-49244.portmap.io"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516691/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pictures-weekends.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516692/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pluhohio-42503.portmap.io"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516693/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meooow.su"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516694/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"california-arab.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516695/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"free-east.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516696/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"all.ddnskey.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516697/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"public-bracelets.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516698/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paltalkroom.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"construction-fought.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qastar2981.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jobs-camcorder.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kazd"; depth:5; nocase; http.host; content:"1orijinalecza.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"mtortoisgfe.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bafy"; depth:5; nocase; http.host; content:"9vudatawavej.digital"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516678/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsia"; depth:5; nocase; http.host; content:"yvecturar.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516679/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"1climatologfy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keaj"; depth:5; nocase; http.host; content:"copusculy.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bafy"; depth:5; nocase; http.host; content:"bdatawavej.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apdo"; depth:5; nocase; http.host; content:"ctechguidet.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516670/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pozz"; depth:5; nocase; http.host; content:"ftechmindj.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516671/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vepr"; depth:5; nocase; http.host; content:"jpraetori.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516672/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"7umigeographys.run"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/benj"; depth:5; nocase; http.host; content:"4bearjk.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlak"; depth:5; nocase; http.host; content:"w6topographky.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oturu"; depth:6; nocase; http.host; content:"fnodepathr.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516667/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/benj"; depth:5; nocase; http.host; content:"gbearjk.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516668/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/laopx"; depth:6; nocase; http.host; content:"gviriatoe.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jub"; depth:4; nocase; http.host; content:"6orijinalecza.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwes"; depth:5; nocase; http.host; content:"8techchaiun.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xane"; depth:5; nocase; http.host; content:"vexitiumt.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516665/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"utortoisgfe.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xzea"; depth:5; nocase; http.host; content:"2corexlaib.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516660/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"0twoodpeckersd.run"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516661/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowp"; depth:5; nocase; http.host; content:"kbrandihx.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516662/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/retu"; depth:5; nocase; http.host; content:"coyoteqw.run"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516655/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbak"; depth:5; nocase; http.host; content:"fbtcgeared.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516656/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eqwu"; depth:5; nocase; http.host; content:"odisciplipna.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516657/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"lzenithcorde.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516658/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"obiosphxere.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tequ"; depth:5; nocase; http.host; content:"jfishgh.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xzea"; depth:5; nocase; http.host; content:"jnscorexlaib.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eqwu"; depth:5; nocase; http.host; content:"9disciplipna.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516651/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riid"; depth:5; nocase; http.host; content:"mtechsyncq.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516652/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vpep"; depth:5; nocase; http.host; content:"6scriptao.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbak"; depth:5; nocase; http.host; content:"mbtcgeared.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wezd"; depth:5; nocase; http.host; content:"skunkxd.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xawi"; depth:5; nocase; http.host; content:"4elonfgshadow.live"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516647/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytrn"; depth:5; nocase; http.host; content:"fairytalesw.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; nocase; http.host; content:"8eczamedikal.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"6biosphxere.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktnt"; depth:5; nocase; http.host; content:"irbuzzarddf.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/werrp"; depth:6; nocase; http.host; content:"3civitasu.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516642/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/foajsi"; depth:7; nocase; http.host; content:"znavstarx.shop"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516637/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/benj"; depth:5; nocase; http.host; content:"ebearjk.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pqw"; depth:4; nocase; http.host; content:"homelecyfi.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516639/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vepr"; depth:5; nocase; http.host; content:"lpraetori.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516640/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banb"; depth:5; nocase; http.host; content:"cvigorbridgoe.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516634/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gdat"; depth:5; nocase; http.host; content:"salmonqw.live"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516635/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuwxx"; depth:6; nocase; http.host; content:"2tropiscbs.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516636/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ixau"; depth:5; nocase; http.host; content:"9cartograhphy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516631/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwena"; depth:6; nocase; http.host; content:"pejnguin.live"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516632/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apdo"; depth:5; nocase; http.host; content:"etechguidet.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516633/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vepr"; depth:5; nocase; http.host; content:"qpraetori.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516628/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"1nighetwhisper.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; nocase; http.host; content:"leczamedikal.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516630/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eqwu"; depth:5; nocase; http.host; content:"gdisciplipna.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516626/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbak"; depth:5; nocase; http.host; content:"6btcgeared.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516627/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xzea"; depth:5; nocase; http.host; content:"xcorexlaib.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516623/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riid"; depth:5; nocase; http.host; content:"btechsyncq.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516624/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/weq"; depth:4; nocase; http.host; content:"boreholeconstruction.org"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516625/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rtdd"; depth:5; nocase; http.host; content:"0antilcvope.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516619/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reiq"; depth:5; nocase; http.host; content:"6equatorf.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516620/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qxaos"; depth:6; nocase; http.host; content:"issuehouf.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516621/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yiowo"; depth:6; nocase; http.host; content:"maximusw.live"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516622/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keaj"; depth:5; nocase; http.host; content:"3opusculy.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516616/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowp"; depth:5; nocase; http.host; content:"7brandihx.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516617/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"jwoodpeckersd.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516618/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/djsuaj"; depth:7; nocase; http.host; content:"dweaponrywo.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"fdgeographys.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516615/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kazd"; depth:5; nocase; http.host; content:"jorijinalecza.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516612/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"hbiosphxere.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516613/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iomqwe"; depth:7; nocase; http.host; content:"rabbitw.run"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516608/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tequ"; depth:5; nocase; http.host; content:"ffishgh.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516609/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tured"; depth:6; nocase; http.host; content:"0bardcauft.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516610/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bent"; depth:5; nocase; http.host; content:"ddatamanipy.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516611/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"fwoodpeckersd.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516606/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apdo"; depth:5; nocase; http.host; content:"9techguidet.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516607/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsia"; depth:5; nocase; http.host; content:"bvecturar.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516604/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktnt"; depth:5; nocase; http.host; content:"gbuzzarddf.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516605/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vepr"; depth:5; nocase; http.host; content:"4praetori.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516602/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banb"; depth:5; nocase; http.host; content:"0vigorbridgoe.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516603/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jub"; depth:4; nocase; http.host; content:"7orijinalecza.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516600/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gjyu"; depth:5; nocase; http.host; content:"circumii.digital"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516601/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuwxx"; depth:6; nocase; http.host; content:"jtropiscbs.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516598/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/twoow"; depth:6; nocase; http.host; content:"datacuet.live"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516599/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tequ"; depth:5; nocase; http.host; content:"rfishgh.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516597/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shpaoz"; depth:7; nocase; http.host; content:"5jrxsafer.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516596/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"q9qzenithcorde.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516594/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apdo"; depth:5; nocase; http.host; content:"6techguidet.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516595/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vpep"; depth:5; nocase; http.host; content:"fscriptao.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516590/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"uintelhube.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516591/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tequ"; depth:5; nocase; http.host; content:"tfishgh.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516592/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"ytortoisgfe.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516593/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vepr"; depth:5; nocase; http.host; content:"9praetori.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516584/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jub"; depth:4; nocase; http.host; content:"eorijinalecza.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516585/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tequ"; depth:5; nocase; http.host; content:"xfishgh.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516586/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vepr"; depth:5; nocase; http.host; content:"ypraetori.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516587/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abmn"; depth:5; nocase; http.host; content:"chivalryr.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516588/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vpep"; depth:5; nocase; http.host; content:"lscriptao.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516589/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"mgeographys.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516583/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwes"; depth:5; nocase; http.host; content:"3techchaiun.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516582/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kewk"; depth:5; nocase; http.host; content:"8parakehjet.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516578/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"1zenithcorde.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516579/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktnt"; depth:5; nocase; http.host; content:"wbuzzarddf.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516580/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aoiz"; depth:5; nocase; http.host; content:"rdarjkafsg.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516581/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banb"; depth:5; nocase; http.host; content:"tvigorbridgoe.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516575/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ansbwqy"; depth:8; nocase; http.host; content:"raesccapewz.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516576/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vepr"; depth:5; nocase; http.host; content:"1praetori.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516577/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aosd"; depth:5; nocase; http.host; content:"chimselcaked.digital"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516572/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; nocase; http.host; content:"meczamedikal.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kewk"; depth:5; nocase; http.host; content:"uparakehjet.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516574/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banb"; depth:5; nocase; http.host; content:"vvigorbridgoe.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516567/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/akrl"; depth:5; nocase; http.host; content:"mygadgety.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516568/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktnt"; depth:5; nocase; http.host; content:"1jbuzzarddf.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516569/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"rzenithcorde.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516570/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"vnighetwhisper.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516571/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erap"; depth:5; nocase; http.host; content:"tomorrefig.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516563/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"s-tortoisgfe.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516564/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/laopx"; depth:6; nocase; http.host; content:"iviriatoe.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516565/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"wtortoisgfe.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516566/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/benj"; depth:5; nocase; http.host; content:"jbearjk.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516559/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bafy"; depth:5; nocase; http.host; content:"qdatawavej.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516560/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pqoweb"; depth:7; nocase; http.host; content:"paincopp.digital"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516561/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoxo"; depth:5; nocase; http.host; content:"fhclarmodq.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xapz"; depth:5; nocase; http.host; content:"holyseypju.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516555/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwes"; depth:5; nocase; http.host; content:"ztechchaiun.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516557/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"xbitortoisgfe.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516558/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/btnf"; depth:5; nocase; http.host; content:"sectorecoo.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516551/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktnt"; depth:5; nocase; http.host; content:"obuzzarddf.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516552/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/laopx"; depth:6; nocase; http.host; content:"eviriatoe.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516553/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqpo"; depth:5; nocase; http.host; content:"courtjew.digital"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516554/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"ttzenithcorde.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516547/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"7.geographys.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516548/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ybbt"; depth:5; nocase; http.host; content:"tidalqhbf.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516549/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbak"; depth:5; nocase; http.host; content:"4ubtcgeared.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516550/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tequ"; depth:5; nocase; http.host; content:"5fishgh.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516544/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tequ"; depth:5; nocase; http.host; content:"4fishgh.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516545/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sbdsa"; depth:6; nocase; http.host; content:"4htardwarehu.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516546/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"czenithcorde.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516540/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tequ"; depth:5; nocase; http.host; content:"2fishgh.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516541/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kewk"; depth:5; nocase; http.host; content:"qparakehjet.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516542/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lxaz"; depth:5; nocase; http.host; content:"aorjinalecza.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516543/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iomqwe"; depth:7; nocase; http.host; content:"3rabbitw.run"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516537/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xawo"; depth:5; nocase; http.host; content:"datacubei.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516538/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/werrp"; depth:6; nocase; http.host; content:"kcivitasu.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516539/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktnt"; depth:5; nocase; http.host; content:"0buzzarddf.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516534/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eqwu"; depth:5; nocase; http.host; content:"tdisciplipna.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516535/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; nocase; http.host; content:"oeczamedikal.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516536/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"3ozenithcorde.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516531/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qop"; depth:4; nocase; http.host; content:"5eczakozmetik.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516532/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apdo"; depth:5; nocase; http.host; content:"atechguidet.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516533/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"8awoodpeckersd.run"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516528/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuwxx"; depth:6; nocase; http.host; content:"dtropiscbs.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516529/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vepr"; depth:5; nocase; http.host; content:"fypraetori.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516530/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeda"; depth:5; nocase; http.host; content:"vzestmodp.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516527/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iods"; depth:5; nocase; http.host; content:"zootechq.run"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516524/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apdo"; depth:5; nocase; http.host; content:"gtechguidet.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516525/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/werrp"; depth:6; nocase; http.host; content:"vcivitasu.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516526/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kewk"; depth:5; nocase; http.host; content:"2parakehjet.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516520/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juj"; depth:4; nocase; http.host; content:"4medicalbitkisel.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516521/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/benj"; depth:5; nocase; http.host; content:"5bearjk.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516522/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riid"; depth:5; nocase; http.host; content:"etechsyncq.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516523/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/werrp"; depth:6; nocase; http.host; content:"djcivitasu.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516517/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reoqi"; depth:6; nocase; http.host; content:"unicoriun.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516518/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bafy"; depth:5; nocase; http.host; content:"0datawavej.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516519/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwes"; depth:5; nocase; http.host; content:"gtechchaiun.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516515/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riid"; depth:5; nocase; http.host; content:"1a3techsyncq.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516516/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keaj"; depth:5; nocase; http.host; content:"uopusculy.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516513/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aoiz"; depth:5; nocase; http.host; content:"ydarjkafsg.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516514/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kewk"; depth:5; nocase; http.host; content:"3parakehjet.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516509/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/benj"; depth:5; nocase; http.host; content:"j7bearjk.live"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516510/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bent"; depth:5; nocase; http.host; content:"bdatamanipy.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516511/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tequ"; depth:5; nocase; http.host; content:"nfishgh.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516512/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banb"; depth:5; nocase; http.host; content:"uvigorbridgoe.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516507/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsia"; depth:5; nocase; http.host; content:"8vecturar.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516508/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuwxx"; depth:6; nocase; http.host; content:"latropiscbs.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516502/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xzea"; depth:5; nocase; http.host; content:"scorexlaib.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516503/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xane"; depth:5; nocase; http.host; content:"4exitiumt.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516504/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/laopx"; depth:6; nocase; http.host; content:"bviriatoe.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516505/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bent"; depth:5; nocase; http.host; content:"qdatamanipy.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516506/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"7usnakejh.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516497/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jub"; depth:4; nocase; http.host; content:"sorijinalecza.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516498/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"vzenithcorde.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516499/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/benj"; depth:5; nocase; http.host; content:"sbearjk.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516500/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbak"; depth:5; nocase; http.host; content:"q8btcgeared.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516501/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; nocase; http.host; content:"neczamedikal.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516494/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kewk"; depth:5; nocase; http.host; content:"gparakehjet.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516495/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eqwu"; depth:5; nocase; http.host; content:"adisciplipna.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516496/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kewk"; depth:5; nocase; http.host; content:"lparakehjet.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516490/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tequ"; depth:5; nocase; http.host; content:"lfishgh.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516491/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsia"; depth:5; nocase; http.host; content:"4vecturar.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516492/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlak"; depth:5; nocase; http.host; content:"ftopographky.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516493/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aeui"; depth:5; nocase; http.host; content:"9mediaflowq.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516489/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516489; rev:1;) alert tcp $HOME_NET any -> [196.251.83.129] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516488/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stuffgull.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516479/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ariosefqcu.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516480/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"homewappzb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516481/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"descenrugb.bet"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516482/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onemiltxny.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516483/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"octalfbsh.bet"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516484/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rocketlump.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516485/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"novotransz.hu"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516487/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/robots.txt"; depth:11; nocase; http.host; content:"pumpcommunity.pages.dev"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516478/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/robots.txt"; depth:11; nocase; http.host; content:"pumpfunaaexposed.pages.dev"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516477/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"toprestream.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516476/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lander/tradingview/index.html"; depth:30; nocase; http.host; content:"tradingviewprime.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516475/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.arm7"; depth:9; nocase; http.host; content:"91.208.206.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516466/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516466; rev:1;) alert tcp $HOME_NET any -> [45.130.145.19] 483 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516467/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516467; rev:1;) alert tcp $HOME_NET any -> [88.214.50.26] 419 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516473/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516473; rev:1;) alert tcp $HOME_NET any -> [188.214.39.228] 10101 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516474/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516474; rev:1;) alert tcp $HOME_NET any -> [196.251.117.50] 5211 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516472/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516472; rev:1;) alert tcp $HOME_NET any -> [67.61.156.61] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516471/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516471; rev:1;) alert tcp $HOME_NET any -> [3.255.173.2] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516470/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516470; rev:1;) alert tcp $HOME_NET any -> [185.10.185.94] 7443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516469/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516469; rev:1;) alert tcp $HOME_NET any -> [128.199.7.255] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516468/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/era-std"; depth:8; nocase; http.host; content:"e.overallwobbly.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516448/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516448; rev:1;) alert tcp $HOME_NET any -> [161.132.51.146] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516465/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516465; rev:1;) alert tcp $HOME_NET any -> [107.172.61.133] 6661 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516463/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516463; rev:1;) alert tcp $HOME_NET any -> [35.179.154.120] 8001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516464/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516464; rev:1;) alert tcp $HOME_NET any -> [51.21.29.251] 6666 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516462/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516462; rev:1;) alert tcp $HOME_NET any -> [207.148.96.97] 8888 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516461/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516461; rev:1;) alert tcp $HOME_NET any -> [195.133.194.205] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516460/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516460; rev:1;) alert tcp $HOME_NET any -> [104.168.81.231] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516457/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516457; rev:1;) alert tcp $HOME_NET any -> [212.162.151.143] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516458/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516458; rev:1;) alert tcp $HOME_NET any -> [196.251.83.60] 8787 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516459/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516459; rev:1;) alert tcp $HOME_NET any -> [196.251.85.241] 4440 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516456/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lxaz"; depth:5; nocase; http.host; content:"xvorjinalecza.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516455/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juj"; depth:4; nocase; http.host; content:"nmedicalbitkisel.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516454/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"ktortoisgfe.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516453/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qos"; depth:4; nocase; http.host; content:"dmedikalbitkisel.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516452/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juj"; depth:4; nocase; http.host; content:"8medicalbitkisel.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516451/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kazd"; depth:5; nocase; http.host; content:"2nbiorijinalecza.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516449/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"7snakejh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516450/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516450; rev:1;) alert tcp $HOME_NET any -> [80.64.30.111] 427 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516447/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/era-stc"; depth:8; nocase; http.host; content:"e.overallwobbly.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516446/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516446; rev:1;) alert tcp $HOME_NET any -> [88.214.50.26] 430 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516443/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nates.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516444/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516444; rev:1;) alert tcp $HOME_NET any -> [92.255.85.15] 430 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516445/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"majos.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516428/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516428; rev:1;) alert tcp $HOME_NET any -> [80.64.30.111] 416 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516432/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516432; rev:1;) alert tcp $HOME_NET any -> [104.37.4.27] 4508 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516442/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jub"; depth:4; nocase; http.host; content:"vorijinalecza.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516441/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsia"; depth:5; nocase; http.host; content:"tvecturar.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516440/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lxaz"; depth:5; nocase; http.host; content:"sorjinalecza.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516439/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juj"; depth:4; nocase; http.host; content:"rmedicalbitkisel.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516438/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qos"; depth:4; nocase; http.host; content:"medikalbitkisel.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516436/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"nsnakejh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516437/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mbj"; depth:4; nocase; http.host; content:"medicalbitkisel.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516435/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kobe"; depth:5; nocase; http.host; content:"improvxf.run"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516434/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qop"; depth:4; nocase; http.host; content:"deczakozmetik.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516433/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516433; rev:1;) alert tcp $HOME_NET any -> [78.46.233.21] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516430/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516430; rev:1;) alert tcp $HOME_NET any -> [5.75.211.124] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516431/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.211.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516429/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516429; rev:1;) alert tcp $HOME_NET any -> [80.64.30.111] 430 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516425/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pdfusdt.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516427/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516427; rev:1;) alert tcp $HOME_NET any -> [80.64.18.25] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516426/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516426; rev:1;) alert tcp $HOME_NET any -> [88.214.50.27] 429 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516388/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wejic.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516389/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516389; rev:1;) alert tcp $HOME_NET any -> [80.64.30.111] 421 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516390; rev:1;) alert tcp $HOME_NET any -> [80.64.18.111] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516421; rev:1;) alert tcp $HOME_NET any -> [88.214.50.24] 421 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ssacare.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kissfinger.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"monkeyactor.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516420/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"eggsong.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geecare.help"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516418/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aureliae.run"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516414/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeneasq.live"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516415/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"drypingzyr.run"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516416/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"starfiswh.live"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516417/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"bottlebite.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eur-norway.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516408/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"kirill121212-26976.portmap.host"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516409/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pinis13f-46039.portmap.host"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516410/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"w-gtk.gl.at.ply.gg"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516411/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mrxmrxking459-35024.portmap.host"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516412/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/kbtpqkwq"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516406/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/xbwdsmzr"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516407/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516407; rev:1;) alert tcp $HOME_NET any -> [123.58.218.108] 3306 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516404/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516404; rev:1;) alert tcp $HOME_NET any -> [185.196.8.100] 1424 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516405/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"caidume1368.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516403/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ali-ali88.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516402/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lover33.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516401/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"f0867029.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516400/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1a228f64bf7ebcb0.php"; depth:21; nocase; http.host; content:"62.60.226.232"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516399/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516399; rev:1;) alert tcp $HOME_NET any -> [35.75.191.152] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516398/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516398; rev:1;) alert tcp $HOME_NET any -> [27.102.138.156] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516397/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516397; rev:1;) alert tcp $HOME_NET any -> [118.122.8.154] 389 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516396/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516396; rev:1;) alert tcp $HOME_NET any -> [196.251.85.133] 1235 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516395/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516395; rev:1;) alert tcp $HOME_NET any -> [109.199.117.74] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516394/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516394; rev:1;) alert tcp $HOME_NET any -> [45.55.98.63] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516393/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516393; rev:1;) alert tcp $HOME_NET any -> [124.71.200.1] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516392/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516392; rev:1;) alert tcp $HOME_NET any -> [154.222.16.194] 8865 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516391/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516391; rev:1;) alert tcp $HOME_NET any -> [8.219.232.189] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516387/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516387; rev:1;) alert tcp $HOME_NET any -> [8.219.93.92] 2095 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516386/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516386; rev:1;) alert tcp $HOME_NET any -> [8.134.70.73] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516385/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516385; rev:1;) alert tcp $HOME_NET any -> [47.89.194.207] 55555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516311/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516311; rev:1;) alert tcp $HOME_NET any -> [121.41.108.106] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516312/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516312; rev:1;) alert tcp $HOME_NET any -> [196.251.71.236] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516313/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516313; rev:1;) alert tcp $HOME_NET any -> [196.251.71.236] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516314/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516314; rev:1;) alert tcp $HOME_NET any -> [196.251.71.236] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516315/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newlinedesign.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516316/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"angry-bird.cloud"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516317/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"novexaa.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516319/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zuvexaa.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516320/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516320; rev:1;) alert tcp $HOME_NET any -> [85.192.48.2] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516321/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516321; rev:1;) alert tcp $HOME_NET any -> [31.57.228.145] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516323/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516323; rev:1;) alert tcp $HOME_NET any -> [103.137.249.202] 8443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516324/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516324; rev:1;) alert tcp $HOME_NET any -> [18.184.225.196] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516325/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516325; rev:1;) alert tcp $HOME_NET any -> [181.206.158.190] 2000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516326/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516326; rev:1;) alert tcp $HOME_NET any -> [43.224.227.176] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516329/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516329; rev:1;) alert tcp $HOME_NET any -> [18.196.103.121] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516331/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516331; rev:1;) alert tcp $HOME_NET any -> [51.124.120.213] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516332/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516332; rev:1;) alert tcp $HOME_NET any -> [185.198.234.150] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516333/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516333; rev:1;) alert tcp $HOME_NET any -> [85.110.180.99] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516334/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516334; rev:1;) alert tcp $HOME_NET any -> [92.255.85.15] 429 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516335/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516335; rev:1;) alert tcp $HOME_NET any -> [88.214.50.26] 427 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516336/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516336; rev:1;) alert tcp $HOME_NET any -> [88.214.50.26] 428 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516337/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516337; rev:1;) alert tcp $HOME_NET any -> [80.64.30.111] 425 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516338/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516338; rev:1;) alert tcp $HOME_NET any -> [88.214.50.27] 428 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516339/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516339; rev:1;) alert tcp $HOME_NET any -> [88.214.50.26] 423 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516318/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516318; rev:1;) alert tcp $HOME_NET any -> [80.64.30.111] 424 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516327/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516327; rev:1;) alert tcp $HOME_NET any -> [88.214.50.26] 424 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516340/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516340; rev:1;) alert tcp $HOME_NET any -> [88.214.50.27] 430 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516341/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516341; rev:1;) alert tcp $HOME_NET any -> [92.255.85.15] 427 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516342/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516342; rev:1;) alert tcp $HOME_NET any -> [88.214.50.27] 423 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516343/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516343; rev:1;) alert tcp $HOME_NET any -> [88.214.50.27] 422 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516344/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516344; rev:1;) alert tcp $HOME_NET any -> [80.64.30.111] 429 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516345/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516345; rev:1;) alert tcp $HOME_NET any -> [88.214.50.27] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516346/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516346; rev:1;) alert tcp $HOME_NET any -> [88.214.50.24] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516347/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516347; rev:1;) alert tcp $HOME_NET any -> [88.214.50.26] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516348/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516348; rev:1;) alert tcp $HOME_NET any -> [88.214.50.26] 421 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516349/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516349; rev:1;) alert tcp $HOME_NET any -> [88.214.50.24] 417 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516350/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516350; rev:1;) alert tcp $HOME_NET any -> [92.255.85.15] 419 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516351/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516351; rev:1;) alert tcp $HOME_NET any -> [88.214.50.27] 417 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516352/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516352; rev:1;) alert tcp $HOME_NET any -> [88.214.50.24] 419 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516353/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516353; rev:1;) alert tcp $HOME_NET any -> [88.214.50.24] 425 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516354/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516354; rev:1;) alert tcp $HOME_NET any -> [92.255.85.15] 424 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516355/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516355; rev:1;) alert tcp $HOME_NET any -> [88.214.50.27] 425 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516356/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516356; rev:1;) alert tcp $HOME_NET any -> [88.214.50.24] 424 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516357/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516357; rev:1;) alert tcp $HOME_NET any -> [92.255.85.15] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516358/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516358; rev:1;) alert tcp $HOME_NET any -> [88.214.50.24] 418 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516359/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516359; rev:1;) alert tcp $HOME_NET any -> [80.64.30.111] 423 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516360/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516360; rev:1;) alert tcp $HOME_NET any -> [88.214.50.26] 426 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516361/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516361; rev:1;) alert tcp $HOME_NET any -> [80.64.30.111] 428 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516362/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516362; rev:1;) alert tcp $HOME_NET any -> [88.214.50.26] 418 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516363/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516363; rev:1;) alert tcp $HOME_NET any -> [92.255.85.15] 420 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516364/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516364; rev:1;) alert tcp $HOME_NET any -> [88.214.50.24] 420 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516365/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516365; rev:1;) alert tcp $HOME_NET any -> [88.214.50.26] 420 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516366/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516366; rev:1;) alert tcp $HOME_NET any -> [80.64.30.111] 417 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516367/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516367; rev:1;) alert tcp $HOME_NET any -> [88.214.50.26] 417 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516368/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516368; rev:1;) alert tcp $HOME_NET any -> [88.214.50.27] 426 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516369/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516369; rev:1;) alert tcp $HOME_NET any -> [88.214.50.27] 420 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516370/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516370; rev:1;) alert tcp $HOME_NET any -> [88.214.50.26] 429 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516371; rev:1;) alert tcp $HOME_NET any -> [88.214.50.24] 429 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516372/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516372; rev:1;) alert tcp $HOME_NET any -> [88.214.50.24] 422 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516373/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516373; rev:1;) alert tcp $HOME_NET any -> [92.255.85.15] 423 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516374/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516374; rev:1;) alert tcp $HOME_NET any -> [88.214.50.26] 416 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516375/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516375; rev:1;) alert tcp $HOME_NET any -> [88.214.50.27] 424 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516376/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516376; rev:1;) alert tcp $HOME_NET any -> [88.214.50.26] 422 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516377/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516377; rev:1;) alert tcp $HOME_NET any -> [80.64.30.111] 419 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516378/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516378; rev:1;) alert tcp $HOME_NET any -> [88.214.50.24] 428 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516379/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cajuc.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516380; rev:1;) alert tcp $HOME_NET any -> [88.214.50.24] 423 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516381; rev:1;) alert tcp $HOME_NET any -> [88.214.50.26] 425 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516289/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516289; rev:1;) alert tcp $HOME_NET any -> [88.214.50.27] 416 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516290/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516290; rev:1;) alert tcp $HOME_NET any -> [80.64.30.111] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516291/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516291; rev:1;) alert tcp $HOME_NET any -> [80.64.30.111] 426 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516292; rev:1;) alert tcp $HOME_NET any -> [88.214.50.24] 427 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516293; rev:1;) alert tcp $HOME_NET any -> [88.214.50.24] 416 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516294; rev:1;) alert tcp $HOME_NET any -> [88.214.50.27] 427 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516295; rev:1;) alert tcp $HOME_NET any -> [92.255.85.15] 425 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516296; rev:1;) alert tcp $HOME_NET any -> [92.255.85.15] 421 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516297/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516297; rev:1;) alert tcp $HOME_NET any -> [92.255.85.15] 422 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516298/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516298; rev:1;) alert tcp $HOME_NET any -> [88.214.50.24] 430 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516299; rev:1;) alert tcp $HOME_NET any -> [88.214.50.27] 421 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516300; rev:1;) alert tcp $HOME_NET any -> [88.214.50.24] 426 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516301/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516301; rev:1;) alert tcp $HOME_NET any -> [80.64.30.111] 422 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516302; rev:1;) alert tcp $HOME_NET any -> [88.214.50.27] 418 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516303; rev:1;) alert tcp $HOME_NET any -> [88.214.50.27] 419 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516304; rev:1;) alert tcp $HOME_NET any -> [80.64.30.111] 420 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516305/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516305; rev:1;) alert tcp $HOME_NET any -> [92.255.85.15] 417 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516307/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516307; rev:1;) alert tcp $HOME_NET any -> [92.255.85.15] 416 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516308/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516308; rev:1;) alert tcp $HOME_NET any -> [80.64.30.111] 418 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516309/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516309; rev:1;) alert tcp $HOME_NET any -> [92.255.85.15] 426 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516310/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"api.goretep.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516306/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6133d41f0e6446f0.php"; depth:21; nocase; http.host; content:"serholders.pro"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516285/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ansy4abril.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516284/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/webhooks/1368569946631704597/glnlnj8tuuswnyj5rjogug_i3wwpbsue2y4apcdfnmaopjlnkxyara8dhhrwm7tfork_"; depth:102; nocase; http.host; content:"discord.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516283/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/webhooks/1363629579188568306/wtwqmokcwlyroai6ttyqskdgnqp385afkmt7-nwykmz8vjufynmmiprhjlbgrfh0hqb0"; depth:102; nocase; http.host; content:"discord.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516282/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516282; rev:1;) alert tcp $HOME_NET any -> [176.65.142.234] 1997 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516281/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fehin.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516279/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vekat.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516238/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n51v.pages.dev"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516247/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lelah.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516245/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"medikalbitkisel.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516256/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"medicalbitkisel.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516257/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"medikalbitkisel.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516258/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e.overallwobbly.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516231/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/15432bs.bin"; depth:12; nocase; http.host; content:"statuesque-praline-1be80d.netlify.app"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516230/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/15429b.bin"; depth:11; nocase; http.host; content:"fanciful-gelato-78b95c.netlify.app"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516229/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20649.bin"; depth:10; nocase; http.host; content:"stellar-gumption-ea9fd6.netlify.app"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516228/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lightsoi.pages.dev"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516227/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516227; rev:1;) alert tcp $HOME_NET any -> [5.181.156.158] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516225/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pusob.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516226/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/winhost.exe"; depth:18; nocase; http.host; content:"5.181.156.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516224/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_06; classtype:trojan-activity; sid:91516224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"security.yourclodd.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516222/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"memsiug.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516221/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"naqod.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516220/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516220; rev:1;) alert tcp $HOME_NET any -> [156.253.227.62] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516219/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516219; rev:1;) alert tcp $HOME_NET any -> [165.22.37.20] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516322/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wincertfm.store"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516288/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_06; classtype:trojan-activity; sid:91516288; rev:1;) alert tcp $HOME_NET any -> [185.208.156.153] 1857 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516278/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516278; rev:1;) alert tcp $HOME_NET any -> [213.163.192.75] 888 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516277/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516277; rev:1;) alert tcp $HOME_NET any -> [3.26.197.43] 44818 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516276; rev:1;) alert tcp $HOME_NET any -> [45.80.158.118] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516275/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516275; rev:1;) alert tcp $HOME_NET any -> [79.133.46.33] 2053 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516273/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516273; rev:1;) alert tcp $HOME_NET any -> [154.58.204.239] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516274/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516274; rev:1;) alert tcp $HOME_NET any -> [79.133.46.33] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516272/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516272; rev:1;) alert tcp $HOME_NET any -> [186.169.92.72] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516271/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516271; rev:1;) alert tcp $HOME_NET any -> [80.76.49.13] 10505 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516270/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_06; classtype:trojan-activity; sid:91516270; rev:1;) alert tcp $HOME_NET any -> [196.251.81.84] 4002 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516269/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516269; rev:1;) alert tcp $HOME_NET any -> [196.251.81.84] 4001 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516268/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsia"; depth:5; nocase; http.host; content:"hvecturar.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516267/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jub"; depth:4; nocase; http.host; content:"gorijinalecza.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516266/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"dwsnakejh.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516265/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516265; rev:1;) alert tcp $HOME_NET any -> [45.144.48.88] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516264/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vpn.coupmgrki.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516263/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516263; rev:1;) alert tcp $HOME_NET any -> [176.65.141.93] 9012 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516261/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516261; rev:1;) alert tcp $HOME_NET any -> [176.65.141.93] 9013 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516262/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516262; rev:1;) alert tcp $HOME_NET any -> [176.65.141.93] 9011 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516260/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516260; rev:1;) alert tcp $HOME_NET any -> [196.251.86.174] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516259/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juj"; depth:4; nocase; http.host; content:"gmedicalbitkisel.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516255/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516255; rev:1;) alert tcp $HOME_NET any -> [31.58.239.234] 8856 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516254/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jub"; depth:4; nocase; http.host; content:"dorijinalecza.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516253/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tnquw"; depth:6; nocase; http.host; content:"callinuxwf.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516252/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lxaz"; depth:5; nocase; http.host; content:"1orjinalecza.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516251/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516251; rev:1;) alert tcp $HOME_NET any -> [189.140.41.33] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516250/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516250; rev:1;) alert tcp $HOME_NET any -> [186.105.112.245] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516249/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516249; rev:1;) alert tcp $HOME_NET any -> [18.102.118.123] 443 (msg:"ThreatFox Eye Pyramid botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516248/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516248; rev:1;) alert tcp $HOME_NET any -> [13.248.132.202] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516246/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516246; rev:1;) alert tcp $HOME_NET any -> [43.205.117.56] 4369 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516244/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516244; rev:1;) alert tcp $HOME_NET any -> [5.181.159.73] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516243/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516243; rev:1;) alert tcp $HOME_NET any -> [45.148.4.29] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516242/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516242; rev:1;) alert tcp $HOME_NET any -> [45.80.158.118] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516241/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516241; rev:1;) alert tcp $HOME_NET any -> [105.101.192.241] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516237/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516237; rev:1;) alert tcp $HOME_NET any -> [35.227.94.171] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516239/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516239; rev:1;) alert tcp $HOME_NET any -> [37.252.4.149] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516240/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516240; rev:1;) alert tcp $HOME_NET any -> [78.172.238.54] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516235/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516235; rev:1;) alert tcp $HOME_NET any -> [128.90.113.30] 4000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516236/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516236; rev:1;) alert tcp $HOME_NET any -> [194.67.200.48] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516233; rev:1;) alert tcp $HOME_NET any -> [15.235.37.196] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516234/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516234; rev:1;) alert tcp $HOME_NET any -> [185.186.245.86] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516232/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"115.48.146.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516223/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91516223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maxiv.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516218/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516218; rev:1;) alert tcp $HOME_NET any -> [178.73.192.3] 2703 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516217/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516217; rev:1;) alert tcp $HOME_NET any -> [185.239.226.65] 80 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516198/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516198; rev:1;) alert tcp $HOME_NET any -> [185.239.226.65] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516199/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nenyz.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516200/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sig/ini"; depth:8; nocase; http.host; content:"homeeick.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516213/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"homeeick.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516214/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"doneloby-42986.portmap.io"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516216/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91516216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"unlimited.servebeer.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516215/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91516215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1a228f64bf7ebcb0.php"; depth:21; nocase; http.host; content:"62.60.226.232"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516212/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91516212; rev:1;) alert tcp $HOME_NET any -> [141.164.55.2] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516211/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91516211; rev:1;) alert tcp $HOME_NET any -> [107.189.19.196] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516210/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91516210; rev:1;) alert tcp $HOME_NET any -> [107.189.26.54] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516209/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91516209; rev:1;) alert tcp $HOME_NET any -> [146.185.239.51] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516205/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516205; rev:1;) alert tcp $HOME_NET any -> [146.185.239.60] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516206/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516206; rev:1;) alert tcp $HOME_NET any -> [146.185.239.56] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516207/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516207; rev:1;) alert tcp $HOME_NET any -> [146.185.239.33] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516208/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516208; rev:1;) alert tcp $HOME_NET any -> [146.185.239.47] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516201/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516201; rev:1;) alert tcp $HOME_NET any -> [146.185.239.50] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516202/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516202; rev:1;) alert tcp $HOME_NET any -> [146.185.239.45] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516203/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516203; rev:1;) alert tcp $HOME_NET any -> [146.185.239.10] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516204/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vaviq.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516183/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eomaguera.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516196/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eomaguera.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516197/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516197; rev:1;) alert tcp $HOME_NET any -> [81.19.141.47] 9443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516194/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516194; rev:1;) alert tcp $HOME_NET any -> [37.27.89.195] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516193/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516193; rev:1;) alert tcp $HOME_NET any -> [102.117.168.19] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516190; rev:1;) alert tcp $HOME_NET any -> [161.132.68.248] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516191/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516191; rev:1;) alert tcp $HOME_NET any -> [107.172.61.133] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516189/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516189; rev:1;) alert tcp $HOME_NET any -> [213.209.143.23] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516188/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516188; rev:1;) alert tcp $HOME_NET any -> [196.251.86.108] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516187/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516187; rev:1;) alert tcp $HOME_NET any -> [186.169.92.72] 8888 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516186; rev:1;) alert tcp $HOME_NET any -> [155.138.228.172] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516185/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516185; rev:1;) alert tcp $HOME_NET any -> [185.130.249.116] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516184/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516184; rev:1;) alert tcp $HOME_NET any -> [49.12.211.132] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516182/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.211.132"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516181/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zesuz.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516178/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516178; rev:1;) alert tcp $HOME_NET any -> [185.39.19.20] 483 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516177/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sig/ini"; depth:8; nocase; http.host; content:"wilwinson.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516179/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wilwinson.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516180/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adspixle.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516173/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public/pixel.js"; depth:16; nocase; http.host; content:"adspixle.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516174/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jamaz.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516175/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516175; rev:1;) alert tcp $HOME_NET any -> [161.248.238.54] 56999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516176/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pekob.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516171/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516171; rev:1;) alert tcp $HOME_NET any -> [202.79.170.130] 1111 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516172/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profilelayout"; depth:14; nocase; http.host; content:"order.meetandeatsac.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wuxoq.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lsacare.help"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lalaq.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sig/ini"; depth:8; nocase; http.host; content:"powlopski.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"powlopski.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"poelpin.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"poelpin.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"order.meetandeatsac.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"mcrsftuptade.pro"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcrsftuptade.pro"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wubod.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u1.dynamicrename.run"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/au1"; depth:4; nocase; http.host; content:"u1.dynamicrename.run"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516158; rev:1;) alert tcp $HOME_NET any -> [43.142.161.126] 8889 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516161/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"666.20250503.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516160/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91516160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hezob.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u1.parasailkisser.today"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516154; rev:1;) alert tcp $HOME_NET any -> [41.216.189.167] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516151; rev:1;) alert tcp $HOME_NET any -> [84.252.123.154] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516152; rev:1;) alert tcp $HOME_NET any -> [31.56.58.192] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516150; rev:1;) alert tcp $HOME_NET any -> [185.165.169.31] 8443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516149; rev:1;) alert tcp $HOME_NET any -> [35.182.236.183] 2403 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.buyofferproduct.store"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516145; rev:1;) alert tcp $HOME_NET any -> [37.27.89.195] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516146; rev:1;) alert tcp $HOME_NET any -> [41.216.189.77] 2096 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516147; rev:1;) alert tcp $HOME_NET any -> [45.130.145.30] 45051 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516144; rev:1;) alert tcp $HOME_NET any -> [154.58.204.239] 2053 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516143; rev:1;) alert tcp $HOME_NET any -> [185.22.152.183] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516142/; target:src_ip; metadata: confidence_level 90, first_seen 2025_05_05; classtype:trojan-activity; sid:91516142; rev:1;) alert tcp $HOME_NET any -> [149.106.152.96] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516141; rev:1;) alert tcp $HOME_NET any -> [194.59.30.197] 1361 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516139; rev:1;) alert tcp $HOME_NET any -> [107.173.4.16] 2561 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bipyv.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kyfuf.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bobuq.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp3/gate.php"; depth:14; nocase; http.host; content:"bikbike.info"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516136/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91516136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"razpa2.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516135/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91516135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gegesantx.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516134/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91516134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"indosystm.3utilities.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516132/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91516132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sajib22.freeddns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516133/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91516133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"155.2.192.168"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1516131/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91516131; rev:1;) alert tcp $HOME_NET any -> [52.30.118.159] 37 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516130/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91516130; rev:1;) alert tcp $HOME_NET any -> [47.99.127.62] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516129/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91516129; rev:1;) alert tcp $HOME_NET any -> [20.100.9.18] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516127/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91516127; rev:1;) alert tcp $HOME_NET any -> [15.168.16.73] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1516128/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91516128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xd91hy1qhk6yt.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"k64vi6dwb3vub.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2u0oclf4qkhf9.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"497i9cpvltmmz.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ezmxhty0f8adu.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c43att2lnmrii.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x98yt5zgrdetc.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l91e34o6cavw5.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wocctudhspxst.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfu8g6cj2jzet.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cjl3mjvyhtses.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516117/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l10e5tlw0rdhh.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1nooeo9sl1pyy.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bo07a5jjsx1fl.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9ky8maiud4ybt.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0w504dd7qxtj1.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1q4ye1ede0ish.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oh1l9b4xtvz8p.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rc0kpzrlrtm8s.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mlyl41q4ryhr2.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"83qakucey428y.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pgp6p17t1woiv.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vnjnm5gkhmoox.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t3vekb05o0x1s.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ozcnvx0ttby2y.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lc9imdd0qw4sf.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hd1fywzoznsvu.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hmnzj4wexw5p4.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"k275tbeu2enrr.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ijjo3if1iw1ue.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3cgfqwsca2vjm.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kf6afzpw71y1i.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nnxqj5y9nd44j.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pzn5ols93w5oj.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahe9mysbaf6sx.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rl3v51cqzvdcc.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuu9rshi7ddsw.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a820hvo1duh7p.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7um64cd56c8ox.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lrhjo9d1i7165.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kch8oek61gm5u.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csxb4snq6o422.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ej2a4jjexp0tx.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"njliit27uvwxx.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ekxs7px8z4pkv.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jgy8w4ygd4rgq.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aq0owtwbg2iln.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oix6su6r6qrhz.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516081/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7d67ywqznl6dx.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nnum43lhgl5e9.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"es8bfcf198l8b.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"219ailuj9xfwi.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yg33a9kqkxmno.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v902jykbi8igy.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"f473aebp5u6cw.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bafysfq4byx2q.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ufstl0ra036vm.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lnecjrlnhxxqd.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516056/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qkly7m36iy6pf.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fmfvmf9fo16lj.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ged3j2fsllomw.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516059/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p91e5qs3xax9s.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516060/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pg0n5ai8enmp9.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6f36brf8oaenn.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7y4pjt6yk9j1c.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516063/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8ktedt71iw30a.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516064/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2y0bcs9qghefg.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516065/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wd8kga3vogk1c.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516066/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"od1jfzirfcmfb.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sxcz4o3w0p82b.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4qye1e4r6vep8.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"57dqcu9mvzu4n.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516070/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fgwlgicxnrnhc.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516071/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6urmjvx6bcg2e.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516037/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nq6knxwrmv65v.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516038/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"01unlnc3zl7sy.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516039/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"06sl7kn02a4j1.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516040/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suexnznjzr13f.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516041/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s0n2f7134hz9u.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516042/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"svve3ioe7xb6x.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516043/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sspnyu34e1sih.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516044/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ejexcgi2xzlit.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516045/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1xn3rkcuj9kns.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516046/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wk63p6x85qb4b.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516047/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vm0qxt1p0eepg.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516048/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baisxa55khrq7.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9fchka34f1d0j.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516050/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tpi278a8bqfp1.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h3t1x98cn4rll.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516052/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xi5zg3gqie3l7.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516053/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"idxk7yey03zod.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3dxbyuquy4y9t.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"om8ehncrllp2l.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fqsp3md4e9esg.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"28l2aym25cw30.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckd17bhmsgfu1.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mlhmq5ei1s074.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516024/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4i1zu6nzcamr7.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516025/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mor4fd5bnk78x.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516026/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7qhmcnpsoe017.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516027/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"efwyt1lbx865o.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516028/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"47e8e77tyza89.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whtfb5uo3uli1.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1yaejpuytlisx.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2mzlq3xim0s9f.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"15gacgart9drc.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516033/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"krqkq4i1llyzk.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516034/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8nvdlt0tnomq1.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516035/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wpqxkx2u6xjg6.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516036/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"krjmuvh6ku0t2.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516002/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jbr18hwh7i7hc.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516003/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eo9k1g3f70a3e.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516004/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hr31kprk9s5og.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8ezok0b7o3340.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suuf7u72w97k4.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a88jdw6ll0iry.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec0m39f2muzcn.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uow2lesk11dd2.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3syv4vra7pixd.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ljwbv17lvkeo3.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1fyzkhlsw2q60.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1zce9p8j1hj9a.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516014/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"j3mokdpvhf69v.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516015/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c2wml2fq3j8cr.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tbqb6spho92xa.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rf5kbhnf2f93w.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515984/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqirk995qvbnd.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515985/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"o6mx8zar7um4z.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515986/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7rofujymz4jz2.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515987/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l2jbifb6uwbte.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515988/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"67xu0i0n8bgj6.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515989/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uevzcl14u8hf9.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515990/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fpu95h50ze2zn.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515991/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"052rafm79ch9t.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515992/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"md0j8790yqclx.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515993/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tyzvde2rlqywm.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515994/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7aqi30tdyv2aq.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515995/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b7zhb7fhct4zf.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucobw87g5gxm7.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515997/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v5egowapkfcee.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515998/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkq2vzzw0a6o2.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515999/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lvk9fyt2jcfqq.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516000/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3k0iseb3ocu8d.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1516001/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91516001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4p2coueydjemk.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515966/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"48ic0seqo6rrc.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515967/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8w5aogt61el3a.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515968/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b0wyg4snhx1h0.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515969/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t24cc3w6oja5n.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515970/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4s0gdczb4gz26.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515971/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ufwdmqxzqtvwc.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515972/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cu390ph51q4j5.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515973/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jx8nn406jtgwy.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515974/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugitxadou5kfq.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515975/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0akyqs00mdsah.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515976/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"la224tffo11pl.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515977/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftos844wh0y13.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515978/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tom6rs2y8elwc.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515979/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uqjz05akvx3fz.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515980/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkukt01x9tzjq.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515981/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1wljdycpr5kor.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515982/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6dyviqwoq5g3b.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515983/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whyr2ecbeem0a.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515948/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wv02ucf17hmko.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515949/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3l20oci5sq807.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515950/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecupy2q3fv57r.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515951/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rqwn1lmpfqbh6.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515952/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"e3jmtpa0wwzt0.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515953/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pkx253q3draf9.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515954/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vh2tvpez98d8d.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515955/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7tmcotffwi3rp.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515956/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"q5eel9bqwhgx5.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515957/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zuhrwcnwcb6n5.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515958/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"y5c4jg84chy2j.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515959/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lguunjlpqn88h.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515960/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"34srx2ae2zva1.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515961/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"y13tnw0hg8ish.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515962/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"76qeyvxi3pjxk.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515963/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h8cv0cubuurtw.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515964/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l30svryw9rxbk.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515965/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yfur3cd7c6ee5.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515931/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tk3cpy77sv699.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515932/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alpg3l401g8fl.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"997pk0z192f6o.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515934/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"644urd0cjtdir.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ragv0qaws4h65.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6lkfu93f30hbx.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sa7ny8qvh1p96.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515938/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"u8hplffapqe5h.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"19ii8nij2v9f7.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515940/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tjty40ab7mogi.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515941/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z1blzidblgzz6.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515942/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"95cfb14o3us97.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515943/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wbmnoh3tkbed2.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515944/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iirw1x578ubc1.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515945/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2vkwidwgyjzhh.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515946/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0fq0fw4osfldp.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515947/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3x405o86wazfk.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"us40rp511u1as.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w1yq2y82fd426.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uy2m0li5tvf8b.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gujem.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dysoh.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"advisory.army-govbd.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1sava.ru"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyba"; depth:5; nocase; http.host; content:"thinkellk.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515917/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91515917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; nocase; http.host; content:"keczamedikal.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515916/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91515916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lxaz"; depth:5; nocase; http.host; content:"corjinalecza.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515915/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91515915; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 8079 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515914/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515914; rev:1;) alert tcp $HOME_NET any -> [44.201.126.95] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515913/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload.php"; depth:11; nocase; http.host; content:"bafybeiawneylrrcuwxv5fopeh2g6rhz4qgo3zoxco3j5ehxinddu7tejke.ipfs.w3s.link"; depth:73; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515912/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515912; rev:1;) alert tcp $HOME_NET any -> [194.213.18.107] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515909/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/"; depth:6; nocase; http.host; content:"umatblog.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515910/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91515910; rev:1;) alert tcp $HOME_NET any -> [109.248.151.106] 8079 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515911/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91515911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ixau"; depth:5; nocase; http.host; content:"skcartograhphy.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515908/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91515908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kazd"; depth:5; nocase; http.host; content:"rorijinalecza.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515907/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91515907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gajd"; depth:5; nocase; http.host; content:"hackergala.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515906/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91515906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlak"; depth:5; nocase; http.host; content:"4topographky.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515905/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91515905; rev:1;) alert tcp $HOME_NET any -> [51.16.44.166] 11889 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515904/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515904; rev:1;) alert tcp $HOME_NET any -> [108.181.199.16] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515903/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"212.27.12.9.mobile.3.dk"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515901/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515901; rev:1;) alert tcp $HOME_NET any -> [47.236.177.123] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515902/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515902; rev:1;) alert tcp $HOME_NET any -> [103.77.241.26] 60000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515900/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515900; rev:1;) alert tcp $HOME_NET any -> [146.103.40.203] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515899/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515899; rev:1;) alert tcp $HOME_NET any -> [104.168.19.226] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515898/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515898; rev:1;) alert tcp $HOME_NET any -> [172.111.245.3] 9907 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515897/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515897; rev:1;) alert tcp $HOME_NET any -> [8.219.232.189] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515896/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515896; rev:1;) alert tcp $HOME_NET any -> [115.159.71.204] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515894/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515894; rev:1;) alert tcp $HOME_NET any -> [38.55.204.6] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515895/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515895; rev:1;) alert tcp $HOME_NET any -> [103.140.154.73] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515893/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"verserelation.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515892/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sisterwood.icu"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515891/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oiu.php"; depth:8; nocase; http.host; content:"creatoreggs.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515890/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cmykhpanel.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515888/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ncdcare.help"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515889/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"155.2.192.168"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515887/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515887; rev:1;) alert tcp $HOME_NET any -> [5.75.213.68] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515886/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.213.68"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515885/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qyzoz.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515883/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515883; rev:1;) alert tcp $HOME_NET any -> [176.120.16.45] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515884/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test.4g.gs"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515830/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"104.129.181.228.16clouds.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515831/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-123-60-135-200.compute.hwclouds-dns.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515832/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515832; rev:1;) alert tcp $HOME_NET any -> [49.113.79.254] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515833/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cx104.vallecort.com.br"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515835/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515835; rev:1;) alert tcp $HOME_NET any -> [166.88.95.137] 13443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515836/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515836; rev:1;) alert tcp $HOME_NET any -> [185.100.157.17] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515837/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515837; rev:1;) alert tcp $HOME_NET any -> [45.150.33.77] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515838/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"31033-50051.bacloud.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515839/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515839; rev:1;) alert tcp $HOME_NET any -> [176.65.141.71] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515840/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515840; rev:1;) alert tcp $HOME_NET any -> [34.81.155.243] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515842/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515842; rev:1;) alert tcp $HOME_NET any -> [63.33.41.189] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515843/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515843; rev:1;) alert tcp $HOME_NET any -> [3.252.42.218] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515844/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515844; rev:1;) alert tcp $HOME_NET any -> [158.160.154.26] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515845/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515845; rev:1;) alert tcp $HOME_NET any -> [13.70.131.68] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515847/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515847; rev:1;) alert tcp $HOME_NET any -> [220.130.137.141] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515846/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515846; rev:1;) alert tcp $HOME_NET any -> [18.192.233.224] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515848/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515848; rev:1;) alert tcp $HOME_NET any -> [18.192.233.224] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515849/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515849; rev:1;) alert tcp $HOME_NET any -> [13.60.38.231] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515850/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515850; rev:1;) alert tcp $HOME_NET any -> [54.217.198.240] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515851/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515851; rev:1;) alert tcp $HOME_NET any -> [20.8.191.21] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515852/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515852; rev:1;) alert tcp $HOME_NET any -> [3.248.252.167] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515853/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515853; rev:1;) alert tcp $HOME_NET any -> [54.194.244.3] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515854/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515854; rev:1;) alert tcp $HOME_NET any -> [24.199.97.56] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515855/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515855; rev:1;) alert tcp $HOME_NET any -> [13.48.195.134] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515856/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wubys.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515858/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hodef.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515859/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/techguardsecuresuite/"; depth:22; nocase; http.host; content:"45.141.86.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515828/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lurup.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515811/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/techguardsecuresuite/"; depth:22; nocase; http.host; content:"45.141.86.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515827/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"land-of-dreams.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515808/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/captcha.txt"; depth:12; nocase; http.host; content:"cf-unstable.media"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515809/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bytevista.cloud"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515810/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515810; rev:1;) alert tcp $HOME_NET any -> [96.30.192.6] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515802/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cyxix.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515788/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tom4ku9v/login.php"; depth:19; nocase; http.host; content:"80.64.18.63"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515789/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"written-read.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515882/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"email-stronger.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515881/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515881; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 53162 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515880/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"everyone-decrease.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515878/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sanael-63678.portmap.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515879/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515879; rev:1;) alert tcp $HOME_NET any -> [194.233.82.24] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515877/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515877; rev:1;) alert tcp $HOME_NET any -> [162.254.86.108] 4433 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515876/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515876; rev:1;) alert tcp $HOME_NET any -> [51.158.120.162] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515875/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515875; rev:1;) alert tcp $HOME_NET any -> [194.26.27.10] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515873/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515873; rev:1;) alert tcp $HOME_NET any -> [92.255.57.37] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515874/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515874; rev:1;) alert tcp $HOME_NET any -> [3.80.91.122] 8649 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515872/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515872; rev:1;) alert tcp $HOME_NET any -> [3.25.166.106] 4063 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515871/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515871; rev:1;) alert tcp $HOME_NET any -> [45.61.166.168] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515868/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515868; rev:1;) alert tcp $HOME_NET any -> [164.92.151.99] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515869/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515869; rev:1;) alert tcp $HOME_NET any -> [192.144.12.205] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515870/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515870; rev:1;) alert tcp $HOME_NET any -> [35.86.114.93] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515866/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515866; rev:1;) alert tcp $HOME_NET any -> [113.45.225.150] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515867/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515867; rev:1;) alert tcp $HOME_NET any -> [183.63.173.29] 8010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515864/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515864; rev:1;) alert tcp $HOME_NET any -> [154.90.49.173] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515865/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515865; rev:1;) alert tcp $HOME_NET any -> [103.171.35.26] 9443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515863/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515863; rev:1;) alert tcp $HOME_NET any -> [89.168.58.167] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515861/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515861; rev:1;) alert tcp $HOME_NET any -> [43.242.200.223] 8841 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515862/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515862; rev:1;) alert tcp $HOME_NET any -> [89.168.33.113] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515860/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515860; rev:1;) alert tcp $HOME_NET any -> [94.26.90.81] 7773 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515857/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515857; rev:1;) alert tcp $HOME_NET any -> [52.195.168.77] 503 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515841/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515841; rev:1;) alert tcp $HOME_NET any -> [185.208.159.176] 57882 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515834/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515834; rev:1;) alert tcp $HOME_NET any -> [137.184.143.194] 55556 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515829/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_05; classtype:trojan-activity; sid:91515829; rev:1;) alert tcp $HOME_NET any -> [45.141.86.133] 4443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515826/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_05; classtype:trojan-activity; sid:91515826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/serverbasedlecdnuploads.php"; depth:28; nocase; http.host; content:"addisonche.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515825/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515825; rev:1;) alert tcp $HOME_NET any -> [104.200.73.83] 556 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515824/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515824; rev:1;) alert tcp $HOME_NET any -> [51.195.229.85] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515823/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515823; rev:1;) alert tcp $HOME_NET any -> [192.140.166.53] 808 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515822/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515822; rev:1;) alert tcp $HOME_NET any -> [144.91.124.44] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515821/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mersh.co"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515818/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515818; rev:1;) alert tcp $HOME_NET any -> [31.57.228.145] 2053 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515819/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515819; rev:1;) alert tcp $HOME_NET any -> [45.80.158.118] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515820/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"urbanbloo.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515816/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"novacrat.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515817/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515817; rev:1;) alert tcp $HOME_NET any -> [213.209.143.51] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515815/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515815; rev:1;) alert tcp $HOME_NET any -> [13.60.99.34] 67 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515814/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515814; rev:1;) alert tcp $HOME_NET any -> [1.13.92.98] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515813/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515813; rev:1;) alert tcp $HOME_NET any -> [101.200.76.102] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515812/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_05; classtype:trojan-activity; sid:91515812; rev:1;) alert tcp $HOME_NET any -> [78.128.112.209] 48965 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515807/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515807; rev:1;) alert tcp $HOME_NET any -> [5.163.185.129] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515806/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515806; rev:1;) alert tcp $HOME_NET any -> [38.147.171.158] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515805/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515805; rev:1;) alert tcp $HOME_NET any -> [209.38.186.227] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515804/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515804; rev:1;) alert tcp $HOME_NET any -> [103.141.158.19] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515803/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515803; rev:1;) alert tcp $HOME_NET any -> [62.171.138.173] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515801/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515801; rev:1;) alert tcp $HOME_NET any -> [56.124.32.96] 13123 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515799/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515799; rev:1;) alert tcp $HOME_NET any -> [34.220.174.146] 20141 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515800/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515800; rev:1;) alert tcp $HOME_NET any -> [45.141.215.109] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515798/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515798; rev:1;) alert tcp $HOME_NET any -> [24.152.36.216] 5000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515796/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515796; rev:1;) alert tcp $HOME_NET any -> [24.152.36.216] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515797/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515797; rev:1;) alert tcp $HOME_NET any -> [213.209.143.43] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515795/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515795; rev:1;) alert tcp $HOME_NET any -> [84.46.243.167] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515794/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515794; rev:1;) alert tcp $HOME_NET any -> [176.65.141.69] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515793/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515793; rev:1;) alert tcp $HOME_NET any -> [107.173.4.8] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515790/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515790; rev:1;) alert tcp $HOME_NET any -> [179.13.0.197] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515791/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515791; rev:1;) alert tcp $HOME_NET any -> [192.3.171.198] 14646 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515792/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dimmergauntlet.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515787/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"115.48.148.187"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515786/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515786; rev:1;) alert tcp $HOME_NET any -> [80.64.18.63] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515785/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juj"; depth:4; nocase; http.host; content:"vmedicalbitkisel.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515784/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kazd"; depth:5; nocase; http.host; content:"zorijinalecza.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515782/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; nocase; http.host; content:"zreczamedikal.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515783/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; nocase; http.host; content:"seczamedikal.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515781/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qop"; depth:4; nocase; http.host; content:"q0eczakozmetik.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515780/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qop"; depth:4; nocase; http.host; content:"oeczakozmetik.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515779/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lxaz"; depth:5; nocase; http.host; content:"o1orjinalecza.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515778/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kazd"; depth:5; nocase; http.host; content:"forijinalecza.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515777/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"esnakejh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515776/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juj"; depth:4; nocase; http.host; content:"9medicalbitkisel.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515775/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsia"; depth:5; nocase; http.host; content:"5vecturar.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515774/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"1snakejh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515773/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515773; rev:1;) alert tcp $HOME_NET any -> [27.124.44.132] 80 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515772/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmgj"; depth:5; nocase; http.host; content:"zaeneasq.live"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515771/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsia"; depth:5; nocase; http.host; content:"vvecturar.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515769/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juj"; depth:4; nocase; http.host; content:"wmedicalbitkisel.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515770/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; nocase; http.host; content:"veczamedikal.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515768/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"lsnakejh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515767/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"jsnakejh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515766/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; nocase; http.host; content:"heczamedikal.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515765/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"dsnakejh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515764/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; nocase; http.host; content:"ceczamedikal.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515763/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lxaz"; depth:5; nocase; http.host; content:"8orjinalecza.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515762/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jub"; depth:4; nocase; http.host; content:"4orijinalecza.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515761/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"1tortoisgfe.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515760/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/werrp"; depth:6; nocase; http.host; content:"ycivitasu.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515759/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vpep"; depth:5; nocase; http.host; content:"dscriptao.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515758/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ariq"; depth:5; nocase; http.host; content:"drypingzyr.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515757/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keaj"; depth:5; nocase; http.host; content:"8opusculy.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515756/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"stitchtransport.icu"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515755/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"throatsalt.icu"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515754/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web.raihelp.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515751/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tybhelp.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515752/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web.chohelp.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515753/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515753; rev:1;) alert tcp $HOME_NET any -> [161.248.238.54] 57899 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515750/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brolyx95.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515749/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tom4ku9v/index.php"; depth:19; nocase; http.host; content:"80.64.18.63"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515748/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"app-uni-infos.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515714/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sign-in"; depth:8; nocase; http.host; content:"84.200.154.182"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515720/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f6j84vsdbngie2/tangem-setup-x64.exe"; depth:36; nocase; http.host; content:"desablums.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515727/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f6j84vsdbngie2/trustwallet-setup-latest-x64.exe"; depth:48; nocase; http.host; content:"desablums.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515728/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f6j84vsdbngie2/coinomi-wallet-setup-x64.exe"; depth:44; nocase; http.host; content:"desablums.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515729/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"en-bitcoin.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515730/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"bitccincore.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515731/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f6j84vsdbngie2/trezor-suite-25.4.2-win-x64-setup.exe"; depth:53; nocase; http.host; content:"desablums.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515734/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"alicante-news.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515735/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"bitccincore.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515736/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515736; rev:1;) alert tcp $HOME_NET any -> [47.86.232.155] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515740/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515740; rev:1;) alert tcp $HOME_NET any -> [45.74.15.233] 3402 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515739/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515739; rev:1;) alert tcp $HOME_NET any -> [94.198.96.166] 52190 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515738/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515738; rev:1;) alert tcp $HOME_NET any -> [161.35.255.100] 55556 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515737/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515737; rev:1;) alert tcp $HOME_NET any -> [45.204.199.73] 7777 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515726/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"ct57262.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515725/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515725; rev:1;) alert tcp $HOME_NET any -> [45.204.197.88] 1991 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515724/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515724; rev:1;) alert tcp $HOME_NET any -> [185.177.239.241] 2222 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515723; rev:1;) alert tcp $HOME_NET any -> [195.211.191.54] 3980 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515722/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515722; rev:1;) alert tcp $HOME_NET any -> [23.249.29.117] 5555 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515721; rev:1;) alert tcp $HOME_NET any -> [152.42.199.84] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515719/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515719; rev:1;) alert tcp $HOME_NET any -> [123.60.135.200] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515718/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515718; rev:1;) alert tcp $HOME_NET any -> [38.134.148.175] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515717/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515717; rev:1;) alert tcp $HOME_NET any -> [18.189.194.55] 9090 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515716/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adfs.fdwx.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515715/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"velodrome.finance-superchain.org"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515696/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"biswap.org-earn.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515695/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"camelot.exc-v3.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515692/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"alpaca-flnance.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515667/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"app.alpacaflnance.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515688/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515688; rev:1;) alert tcp $HOME_NET any -> [161.248.238.54] 1995 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515646/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dapp.radar-home.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515689/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"raydium.io-sol.vip"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515690/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sushi.swap-ether.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515691/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"kodiak.finance.io-v6.bet"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515693/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"app.spookyswap-v3.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515694/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sky-shiiyu.moe"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515713/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"computonline.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515712/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"kap.magicitbd.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515711/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"travelersi.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515710/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.banki.kancelariaoxford.pl"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515708/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cloudflare.eradigitalibl.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515709/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pumpcommunity.pages.dev"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515707/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pumpfunaaexposed.pages.dev"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515706/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nahamcon2025asdasd.pages.dev"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515705/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"blockinsight.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515704/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"admin-protect.help"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515703/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"idcomplaint2.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515702/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"complaintreservaid1.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515701/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"idcomplaint1.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515700/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515700; rev:1;) alert tcp $HOME_NET any -> [143.92.60.22] 9568 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515699/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515699; rev:1;) alert tcp $HOME_NET any -> [70.31.125.150] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515698/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515698; rev:1;) alert tcp $HOME_NET any -> [54.169.64.63] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515697/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515697; rev:1;) alert tcp $HOME_NET any -> [86.93.140.187] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515686; rev:1;) alert tcp $HOME_NET any -> [101.109.205.1] 7443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515687; rev:1;) alert tcp $HOME_NET any -> [47.236.177.123] 8081 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blinkory.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515684; rev:1;) alert tcp $HOME_NET any -> [173.255.232.239] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515683; rev:1;) alert tcp $HOME_NET any -> [196.251.115.33] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515681; rev:1;) alert tcp $HOME_NET any -> [196.251.115.33] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515682; rev:1;) alert tcp $HOME_NET any -> [196.251.92.3] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515680; rev:1;) alert tcp $HOME_NET any -> [146.70.41.206] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515679/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515679; rev:1;) alert tcp $HOME_NET any -> [206.238.114.38] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515678/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515678; rev:1;) alert tcp $HOME_NET any -> [123.60.135.200] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/werrp"; depth:6; nocase; http.host; content:"scivitasu.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515676/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toquw"; depth:6; nocase; http.host; content:"quaestort.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515675/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lxaz"; depth:5; nocase; http.host; content:"porjinalecza.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515674/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jub"; depth:4; nocase; http.host; content:"ljorijinalecza.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515673/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xane"; depth:5; nocase; http.host; content:"hexitiumt.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515672/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xapp"; depth:5; nocase; http.host; content:"dhemispherexz.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515671/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juj"; depth:4; nocase; http.host; content:"zmedicalbitkisel.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515670/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kazd"; depth:5; nocase; http.host; content:"porijinalecza.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515669/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keaj"; depth:5; nocase; http.host; content:"0opusculy.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515668/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gmug.uncofig.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515665/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"kiwibobby-55937.portmap.io"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515666/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mcjacademy.cyou"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515664/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"salesmanpaypals-52908.portmap.io"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515662/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"three-comparative.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515663/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"direct-conventional.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515661/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"foundation-appropriate.gl.at.ply.gg"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515660/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gotoaa.sytes.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515659/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.199.166.102"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515658/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515658; rev:1;) alert tcp $HOME_NET any -> [117.209.82.28] 45666 (msg:"ThreatFox Mozi botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515657/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515657; rev:1;) alert tcp $HOME_NET any -> [54.236.199.83] 2154 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515656/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515656; rev:1;) alert tcp $HOME_NET any -> [13.49.46.253] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515655/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515655; rev:1;) alert tcp $HOME_NET any -> [38.110.228.216] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515654/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515654; rev:1;) alert tcp $HOME_NET any -> [148.66.11.10] 4433 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515653; rev:1;) alert tcp $HOME_NET any -> [206.189.116.120] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515651/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515651; rev:1;) alert tcp $HOME_NET any -> [64.23.133.41] 31337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515652/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515652; rev:1;) alert tcp $HOME_NET any -> [85.209.128.31] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515650/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515650; rev:1;) alert tcp $HOME_NET any -> [185.147.124.148] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515649/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515649; rev:1;) alert tcp $HOME_NET any -> [43.139.124.56] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515648/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515648; rev:1;) alert tcp $HOME_NET any -> [8.138.189.93] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515647/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.200.148.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515645/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515645; rev:1;) alert tcp $HOME_NET any -> [63.33.197.184] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515636/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515636; rev:1;) alert tcp $HOME_NET any -> [142.171.29.139] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515635/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515635; rev:1;) alert tcp $HOME_NET any -> [13.60.228.174] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515637/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515637; rev:1;) alert tcp $HOME_NET any -> [13.49.0.94] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515632/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515632; rev:1;) alert tcp $HOME_NET any -> [16.171.230.230] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515633/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515633; rev:1;) alert tcp $HOME_NET any -> [188.40.233.29] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515634/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515634; rev:1;) alert tcp $HOME_NET any -> [63.33.56.166] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515631/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515631; rev:1;) alert tcp $HOME_NET any -> [13.201.89.149] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515630/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515630; rev:1;) alert tcp $HOME_NET any -> [15.235.167.145] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515628/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515628; rev:1;) alert tcp $HOME_NET any -> [34.241.214.245] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515629; rev:1;) alert tcp $HOME_NET any -> [13.125.164.1] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515627/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515627; rev:1;) alert tcp $HOME_NET any -> [51.178.26.15] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515625/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515625; rev:1;) alert tcp $HOME_NET any -> [3.124.207.127] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515626/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515626; rev:1;) alert tcp $HOME_NET any -> [107.155.87.39] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515623/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515623; rev:1;) alert tcp $HOME_NET any -> [185.221.152.164] 3434 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515624/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515624; rev:1;) alert tcp $HOME_NET any -> [89.23.97.32] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515618/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515618; rev:1;) alert tcp $HOME_NET any -> [3.255.90.197] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515620/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515620; rev:1;) alert tcp $HOME_NET any -> [52.213.183.75] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515621/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515621; rev:1;) alert tcp $HOME_NET any -> [13.60.26.38] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515622/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"veltyzo.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515617/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515617; rev:1;) alert tcp $HOME_NET any -> [196.251.83.223] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515615/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515615; rev:1;) alert tcp $HOME_NET any -> [24.152.36.216] 4000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515616/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515616; rev:1;) alert tcp $HOME_NET any -> [196.251.83.223] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dgtseso-sedes.cfd"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515612/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515612; rev:1;) alert tcp $HOME_NET any -> [45.81.23.48] 1777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515613/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"elcctrum.cc"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515599/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"desablums.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515596/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tcangcm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515595/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"trusltwcllct.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515597/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coiincmi.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515598/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0maill.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515600/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"us-ledger.io"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515609/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515609; rev:1;) alert tcp $HOME_NET any -> [4.237.239.58] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515638; rev:1;) alert tcp $HOME_NET any -> [164.92.69.60] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515639/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"theuni-swap.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515641/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_04; classtype:trojan-activity; sid:91515641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"webexone.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515432/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"raw.foxthreatnointel.vip"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515434/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"accountfun.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515436/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"homelecyfi.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515437/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gobacknihq.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515438/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"suiadris.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515439/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"caverimared.digital"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515440/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"185.235.167.122"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515571/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515571; rev:1;) alert tcp $HOME_NET any -> [176.65.144.197] 443 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515572/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515572; rev:1;) alert tcp $HOME_NET any -> [51.38.192.140] 9001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515643; rev:1;) alert tcp $HOME_NET any -> [8.148.27.195] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515644; rev:1;) alert tcp $HOME_NET any -> [47.76.168.32] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515642/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gaus"; depth:5; nocase; http.host; content:"sformydab.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515640/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515640; rev:1;) alert tcp $HOME_NET any -> [93.198.180.238] 81 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515619/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"ztortoisgfe.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515608/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"xsnakejh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515607/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"ftortoisgfe.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515605/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"ksnakejh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515606/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juj"; depth:4; nocase; http.host; content:"fmedicalbitkisel.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515604/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asuz"; depth:5; nocase; http.host; content:"baseurzv.run"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515602/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jub"; depth:4; nocase; http.host; content:"borijinalecza.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515603/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmgj"; depth:5; nocase; http.host; content:"aeneasq.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515601/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_04; classtype:trojan-activity; sid:91515601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fj43384ft63/eternaltocpuprocessserveruniversaldatalife.php"; depth:59; nocase; http.host; content:"arsoln2r.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515592/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515592; rev:1;) alert tcp $HOME_NET any -> [161.35.194.66] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515591/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515591; rev:1;) alert tcp $HOME_NET any -> [139.64.172.67] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515590/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coms-gs.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515588/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bmjpaperpqck.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515589/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515589; rev:1;) alert tcp $HOME_NET any -> [185.208.156.169] 6503 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515587/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515587; rev:1;) alert tcp $HOME_NET any -> [128.90.113.30] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515586/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515586; rev:1;) alert tcp $HOME_NET any -> [193.227.129.75] 6595 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515585/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_04; classtype:trojan-activity; sid:91515585; rev:1;) alert tcp $HOME_NET any -> [148.251.43.15] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515584/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d457e8cf.php"; depth:13; nocase; http.host; content:"ct60515.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515583/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515583; rev:1;) alert tcp $HOME_NET any -> [82.78.122.13] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515582/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515582; rev:1;) alert tcp $HOME_NET any -> [34.200.80.96] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515581/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515581; rev:1;) alert tcp $HOME_NET any -> [104.200.73.83] 748 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515580/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515580; rev:1;) alert tcp $HOME_NET any -> [54.236.199.83] 2404 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515579/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515579; rev:1;) alert tcp $HOME_NET any -> [196.251.70.182] 7000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515578/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515578; rev:1;) alert tcp $HOME_NET any -> [222.106.222.152] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515577/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515577; rev:1;) alert tcp $HOME_NET any -> [128.90.113.30] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515576/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515576; rev:1;) alert tcp $HOME_NET any -> [101.201.76.1] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515575/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515575; rev:1;) alert tcp $HOME_NET any -> [196.251.81.84] 4000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515574/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515574; rev:1;) alert tcp $HOME_NET any -> [192.238.206.11] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515573; rev:1;) alert tcp $HOME_NET any -> [84.228.159.85] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515569/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515569; rev:1;) alert tcp $HOME_NET any -> [66.42.102.29] 4449 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515568/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515568; rev:1;) alert tcp $HOME_NET any -> [16.171.253.150] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515567/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515567; rev:1;) alert tcp $HOME_NET any -> [34.93.33.26] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515566/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515566; rev:1;) alert tcp $HOME_NET any -> [91.103.252.97] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515565/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515565; rev:1;) alert tcp $HOME_NET any -> [5.252.153.103] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515564/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515564; rev:1;) alert tcp $HOME_NET any -> [88.119.174.198] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515563/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515563; rev:1;) alert tcp $HOME_NET any -> [196.251.73.23] 5001 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515562; rev:1;) alert tcp $HOME_NET any -> [45.38.170.114] 443 (msg:"ThreatFox GhostSocks botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515561/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"wfyzizcy.eza"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515547/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tbczyczdp.eza"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515548/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"hzwgpctypld.eza"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515549/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ncznzotwpqr.eza"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515550/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"spxtdaspcpik.eza"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515551/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ezaelwpyeh.eza"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515552/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gtctotdh.eza"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515553/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lipsdonny.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515554/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"narwhaltr.live"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515555/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rabbitw.run"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515556/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"warldonvu.live"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515557/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"baseurzv.run"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515558/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lemuruy.live"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515559/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"scriptorumh.live"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515560/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uhaknews.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515546/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515546; rev:1;) alert tcp $HOME_NET any -> [102.41.53.11] 5505 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515545/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"elias061010-46923.portmap.io"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515543/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"record-mean.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515544/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/2q991bze"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515541/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/mqfwcqrz"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515542/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515542; rev:1;) alert tcp $HOME_NET any -> [192.252.180.196] 7771 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515540/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"enviamelejos2025.kozow.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515539/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"folz1.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515532/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"folz2.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515533/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"folz3.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515534/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"folz4.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515535/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"folz5.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515536/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"janedoe.ydns.eu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515537/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ogallah-38436.portmap.io"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515538/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ext.fskartd.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515529/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ext.voxyii.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515530/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"miraculousubiquity.ddns.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515531/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"alidax.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515524/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"and-britain.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515525/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"brolyx92.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515526/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nj9590.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515527/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"subfrontier.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515528/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"myduck1590.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515523/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"izumi-sv.f5.si"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515519/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nnbotnet.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515520/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sapoud.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515521/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"shoptool.store"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515522/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515522; rev:1;) alert tcp $HOME_NET any -> [147.185.221.28] 9686 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515517/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515517; rev:1;) alert tcp $HOME_NET any -> [193.158.181.218] 1111 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515518/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515518; rev:1;) alert tcp $HOME_NET any -> [147.185.221.28] 1111 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515515/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515515; rev:1;) alert tcp $HOME_NET any -> [147.185.221.28] 7788 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515516/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"players-lawyer.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515514/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515514; rev:1;) alert tcp $HOME_NET any -> [85.96.132.196] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515513/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"api-cloud-service.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515512/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515512; rev:1;) alert tcp $HOME_NET any -> [154.29.79.7] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515507/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515507; rev:1;) alert tcp $HOME_NET any -> [185.177.239.206] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515508/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515508; rev:1;) alert tcp $HOME_NET any -> [185.177.239.206] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515509/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515509; rev:1;) alert tcp $HOME_NET any -> [197.48.124.155] 5505 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515510/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515510; rev:1;) alert tcp $HOME_NET any -> [2.58.56.164] 10143 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515511/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"185.147.124.212"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515506/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"89.42.88.41"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515505/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/38751b14af054d7d.php"; depth:21; nocase; http.host; content:"62.60.226.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515504/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"27.124.4.217"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515503/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"27.124.4.223"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515502/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"83.217.209.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515501/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"154.61.80.193"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515499/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"27.124.4.224"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515500/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"185.196.10.54"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515497/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"213.209.150.234"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515498/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"118.178.224.193"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515496/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"159.75.154.118"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515495/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"49.234.198.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515494/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"114.55.28.140"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515493/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"8.219.49.148"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515492/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515492; rev:1;) alert tcp $HOME_NET any -> [194.59.30.175] 1337 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515491/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515491; rev:1;) alert tcp $HOME_NET any -> [154.197.69.11] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515490/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515490; rev:1;) alert tcp $HOME_NET any -> [172.236.164.27] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515489/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515489; rev:1;) alert tcp $HOME_NET any -> [13.61.196.0] 3050 (msg:"ThreatFox BlackShades botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515487/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515487; rev:1;) alert tcp $HOME_NET any -> [54.67.4.13] 10022 (msg:"ThreatFox BlackShades botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515488/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515488; rev:1;) alert tcp $HOME_NET any -> [87.251.244.188] 4001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515486/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515486; rev:1;) alert tcp $HOME_NET any -> [2.56.109.21] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515485/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515485; rev:1;) alert tcp $HOME_NET any -> [158.247.207.197] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515484/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515484; rev:1;) alert tcp $HOME_NET any -> [158.247.202.109] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515482/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515482; rev:1;) alert tcp $HOME_NET any -> [27.102.138.156] 443 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515483/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515483; rev:1;) alert tcp $HOME_NET any -> [185.147.124.94] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515480/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515480; rev:1;) alert tcp $HOME_NET any -> [195.82.147.132] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515481/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515481; rev:1;) alert tcp $HOME_NET any -> [167.86.124.217] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515478/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515478; rev:1;) alert tcp $HOME_NET any -> [172.191.60.202] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515479/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515479; rev:1;) alert tcp $HOME_NET any -> [217.154.50.174] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515477/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515477; rev:1;) alert tcp $HOME_NET any -> [129.134.160.6] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515476/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515476; rev:1;) alert tcp $HOME_NET any -> [162.254.86.108] 4443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515475/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515475; rev:1;) alert tcp $HOME_NET any -> [146.70.213.35] 5986 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515473/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515473; rev:1;) alert tcp $HOME_NET any -> [84.46.239.89] 9443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515474/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515474; rev:1;) alert tcp $HOME_NET any -> [162.254.85.213] 8089 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515472/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515472; rev:1;) alert tcp $HOME_NET any -> [220.124.100.162] 6001 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515471/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515471; rev:1;) alert tcp $HOME_NET any -> [13.208.248.19] 5150 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515467/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515467; rev:1;) alert tcp $HOME_NET any -> [54.151.101.117] 49 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515468/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515468; rev:1;) alert tcp $HOME_NET any -> [13.115.247.117] 11 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515469/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515469; rev:1;) alert tcp $HOME_NET any -> [51.52.92.243] 6102 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515470/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515470; rev:1;) alert tcp $HOME_NET any -> [118.122.8.221] 12443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515465/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515465; rev:1;) alert tcp $HOME_NET any -> [98.103.64.132] 6514 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515466/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515466; rev:1;) alert tcp $HOME_NET any -> [198.58.116.254] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515464/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515464; rev:1;) alert tcp $HOME_NET any -> [176.65.144.221] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515463/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515463; rev:1;) alert tcp $HOME_NET any -> [194.32.77.209] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515462/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515462; rev:1;) alert tcp $HOME_NET any -> [38.147.171.158] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515459/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515459; rev:1;) alert tcp $HOME_NET any -> [196.251.115.119] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515460/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515460; rev:1;) alert tcp $HOME_NET any -> [209.38.186.227] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515461/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515461; rev:1;) alert tcp $HOME_NET any -> [51.91.105.136] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515456/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515456; rev:1;) alert tcp $HOME_NET any -> [167.172.29.156] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515457/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515457; rev:1;) alert tcp $HOME_NET any -> [190.14.37.132] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515458/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515458; rev:1;) alert tcp $HOME_NET any -> [23.94.2.147] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515452/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515452; rev:1;) alert tcp $HOME_NET any -> [4.201.193.83] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515453/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515453; rev:1;) alert tcp $HOME_NET any -> [156.224.78.123] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515454/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515454; rev:1;) alert tcp $HOME_NET any -> [207.244.224.112] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515455/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515455; rev:1;) alert tcp $HOME_NET any -> [209.38.87.198] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515450/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515450; rev:1;) alert tcp $HOME_NET any -> [45.94.31.85] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515451/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515451; rev:1;) alert tcp $HOME_NET any -> [175.24.201.160] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515448/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515448; rev:1;) alert tcp $HOME_NET any -> [107.172.86.55] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515449/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515449; rev:1;) alert tcp $HOME_NET any -> [40.77.86.17] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515446/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515446; rev:1;) alert tcp $HOME_NET any -> [34.139.107.37] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515447/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515447; rev:1;) alert tcp $HOME_NET any -> [34.139.107.37] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515445/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515445; rev:1;) alert tcp $HOME_NET any -> [167.71.27.117] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515444/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515444; rev:1;) alert tcp $HOME_NET any -> [154.204.57.57] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515443/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515443; rev:1;) alert tcp $HOME_NET any -> [107.173.62.59] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515442/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515442; rev:1;) alert tcp $HOME_NET any -> [8.135.237.16] 2223 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515441/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515441; rev:1;) alert tcp $HOME_NET any -> [185.196.9.158] 8806 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515435/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"182.122.217.246"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515433/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_03; classtype:trojan-activity; sid:91515433; rev:1;) alert tcp $HOME_NET any -> [81.19.141.47] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515431/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515431; rev:1;) alert tcp $HOME_NET any -> [161.97.138.238] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515430/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515430; rev:1;) alert tcp $HOME_NET any -> [185.196.10.54] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515428/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515428; rev:1;) alert tcp $HOME_NET any -> [94.26.90.237] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515429/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515429; rev:1;) alert tcp $HOME_NET any -> [155.138.146.111] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515427/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515427; rev:1;) alert tcp $HOME_NET any -> [37.120.155.36] 3434 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515426/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515426; rev:1;) alert tcp $HOME_NET any -> [80.64.18.70] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515425/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515425; rev:1;) alert tcp $HOME_NET any -> [66.63.187.166] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515424; rev:1;) alert tcp $HOME_NET any -> [8.148.27.195] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/165ac327.php"; depth:13; nocase; http.host; content:"fluxcraft22.myartsonline.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515422; rev:1;) alert tcp $HOME_NET any -> [49.232.99.145] 8007 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515420/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515420; rev:1;) alert tcp $HOME_NET any -> [49.232.99.145] 8009 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515421/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515421; rev:1;) alert tcp $HOME_NET any -> [129.28.81.156] 8009 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515419/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515419; rev:1;) alert tcp $HOME_NET any -> [129.28.81.156] 8007 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515418/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoxo"; depth:5; nocase; http.host; content:"0fclarmodq.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515417/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xqrs69.scwill.my.id"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515416/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515416; rev:1;) alert tcp $HOME_NET any -> [176.144.206.234] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515415/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515415; rev:1;) alert tcp $HOME_NET any -> [185.196.10.54] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515414/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515414; rev:1;) alert tcp $HOME_NET any -> [102.117.166.157] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515413; rev:1;) alert tcp $HOME_NET any -> [14.237.50.14] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515412/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515412; rev:1;) alert tcp $HOME_NET any -> [62.60.226.21] 30303 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515410; rev:1;) alert tcp $HOME_NET any -> [62.60.226.21] 30304 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515411/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515411; rev:1;) alert tcp $HOME_NET any -> [80.76.49.24] 10505 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515408/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515408; rev:1;) alert tcp $HOME_NET any -> [172.111.139.83] 2405 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515409; rev:1;) alert tcp $HOME_NET any -> [121.37.224.68] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515407/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lxaz"; depth:5; nocase; http.host; content:"zorjinalecza.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515406/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juj"; depth:4; nocase; http.host; content:"smedicalbitkisel.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515405/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowp"; depth:5; nocase; http.host; content:"xbrandihx.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515404/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vepr"; depth:5; nocase; http.host; content:"7praetori.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515403/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keaj"; depth:5; nocase; http.host; content:"4lopusculy.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515402/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515402; rev:1;) alert tcp $HOME_NET any -> [42.192.112.17] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515401; rev:1;) alert tcp $HOME_NET any -> [47.96.251.170] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515400; rev:1;) alert tcp $HOME_NET any -> [13.60.48.174] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515383/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515383; rev:1;) alert tcp $HOME_NET any -> [57.129.141.228] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515384/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515384; rev:1;) alert tcp $HOME_NET any -> [13.60.65.67] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515385/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515385; rev:1;) alert tcp $HOME_NET any -> [147.161.28.216] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515386/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515386; rev:1;) alert tcp $HOME_NET any -> [52.19.219.186] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515387/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515387; rev:1;) alert tcp $HOME_NET any -> [35.156.44.111] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515388/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515388; rev:1;) alert tcp $HOME_NET any -> [57.129.13.75] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515389/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515389; rev:1;) alert tcp $HOME_NET any -> [168.231.105.122] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515390; rev:1;) alert tcp $HOME_NET any -> [56.228.14.172] 3390 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515391; rev:1;) alert tcp $HOME_NET any -> [38.242.207.50] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515392; rev:1;) alert tcp $HOME_NET any -> [95.179.176.211] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515393; rev:1;) alert tcp $HOME_NET any -> [56.228.32.98] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515382/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515382; rev:1;) alert tcp $HOME_NET any -> [54.228.132.247] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515380; rev:1;) alert tcp $HOME_NET any -> [3.124.207.127] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515378/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515378; rev:1;) alert tcp $HOME_NET any -> [63.32.89.115] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515379/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515379; rev:1;) alert tcp $HOME_NET any -> [217.182.61.37] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515381; rev:1;) alert tcp $HOME_NET any -> [3.129.253.119] 8081 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515376/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515376; rev:1;) alert tcp $HOME_NET any -> [35.173.72.237] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515377/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515377; rev:1;) alert tcp $HOME_NET any -> [155.2.192.168] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515375/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515375; rev:1;) alert tcp $HOME_NET any -> [45.88.91.162] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515372/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515372; rev:1;) alert tcp $HOME_NET any -> [176.65.141.72] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515370/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515370; rev:1;) alert tcp $HOME_NET any -> [45.82.152.218] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515371; rev:1;) alert tcp $HOME_NET any -> [206.206.76.49] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515373/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515373; rev:1;) alert tcp $HOME_NET any -> [51.38.137.113] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515374/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-208-187-156.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515368/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"50-116-22-186.ip.linodeusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515369/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515369; rev:1;) alert tcp $HOME_NET any -> [66.179.94.187] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515367/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515367; rev:1;) alert tcp $HOME_NET any -> [35.179.154.120] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515366/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cnc.vietdediserver.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515355/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-124-71-139-126.compute.hwclouds-dns.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515364/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515364; rev:1;) alert tcp $HOME_NET any -> [51.38.137.113] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515354/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515354; rev:1;) alert tcp $HOME_NET any -> [196.251.84.250] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515291/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"formydab.run"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515325/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515325; rev:1;) alert tcp $HOME_NET any -> [43.218.44.43] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c29e033b-f060-412e-87c6-c2320be33a8d-8888.tenants.hivecompute.ai"; depth:64; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"139-216-164-122.sta.dodo.net.au"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cromatsfewbears.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515397; rev:1;) alert tcp $HOME_NET any -> [176.65.140.37] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515399/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pipeprocessorprivatetemp.php"; depth:29; nocase; http.host; content:"fouynaatgm.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vpep"; depth:5; nocase; http.host; content:"0scriptao.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515365/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515365; rev:1;) alert tcp $HOME_NET any -> [196.251.115.230] 5212 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515363/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515363; rev:1;) alert tcp $HOME_NET any -> [49.232.99.145] 8008 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515362/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515362; rev:1;) alert tcp $HOME_NET any -> [199.7.140.220] 18443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515361/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"5tortoisgfe.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515360/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515360; rev:1;) alert tcp $HOME_NET any -> [129.28.81.156] 8008 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515359/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515359; rev:1;) alert tcp $HOME_NET any -> [1.95.44.29] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515357/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515357; rev:1;) alert tcp $HOME_NET any -> [1.95.8.175] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515358/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zhansankun.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515356/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8fe7454a.php"; depth:13; nocase; http.host; content:"a1123026.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515353/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qop"; depth:4; nocase; http.host; content:"zeczakozmetik.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515352/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kazd"; depth:5; nocase; http.host; content:"torijinalecza.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515351/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jub"; depth:4; nocase; http.host; content:"forijinalecza.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515350/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; nocase; http.host; content:"4eczamedikal.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515349/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_03; classtype:trojan-activity; sid:91515349; rev:1;) alert tcp $HOME_NET any -> [18.217.106.242] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515348/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515348; rev:1;) alert tcp $HOME_NET any -> [51.44.221.38] 60000 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515347/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515347; rev:1;) alert tcp $HOME_NET any -> [196.120.76.93] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515345/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515345; rev:1;) alert tcp $HOME_NET any -> [51.44.221.38] 52200 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515346/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515346; rev:1;) alert tcp $HOME_NET any -> [45.9.149.38] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515344/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515344; rev:1;) alert tcp $HOME_NET any -> [124.198.131.216] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515343/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515343; rev:1;) alert tcp $HOME_NET any -> [96.9.124.219] 5006 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515342/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515342; rev:1;) alert tcp $HOME_NET any -> [45.63.106.176] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515341/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515341; rev:1;) alert tcp $HOME_NET any -> [38.89.142.72] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515340/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515340; rev:1;) alert tcp $HOME_NET any -> [212.192.13.62] 9543 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515338/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515338; rev:1;) alert tcp $HOME_NET any -> [46.30.188.46] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515339/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_03; classtype:trojan-activity; sid:91515339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lxaz"; depth:5; nocase; http.host; content:"torjinalecza.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515337/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; nocase; http.host; content:"t5eczamedikal.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515336/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aosd"; depth:5; nocase; http.host; content:"himselcaked.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515335/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"aysnakejh.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515334/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515334; rev:1;) alert tcp $HOME_NET any -> [8.210.159.194] 18080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515333/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515333; rev:1;) alert tcp $HOME_NET any -> [8.135.237.16] 8528 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515332/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515332; rev:1;) alert tcp $HOME_NET any -> [20.169.41.5] 2086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515331/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515331; rev:1;) alert tcp $HOME_NET any -> [154.204.35.234] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515330/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515330; rev:1;) alert tcp $HOME_NET any -> [1.94.236.193] 9998 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515329/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.shopappnew.sbs"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515328/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"update.microsofts.club"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515327/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"437t8126e9.qicp.vip"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515326/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"update.microsoft.club"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515324/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515324; rev:1;) alert tcp $HOME_NET any -> [76.223.68.71] 10004 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515323/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515323; rev:1;) alert tcp $HOME_NET any -> [70.31.125.203] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515322/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515322; rev:1;) alert tcp $HOME_NET any -> [65.108.213.102] 443 (msg:"ThreatFox Eye Pyramid botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515321/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515321; rev:1;) alert tcp $HOME_NET any -> [47.246.41.90] 4506 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515320/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515320; rev:1;) alert tcp $HOME_NET any -> [3.87.151.108] 8443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515319/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515319; rev:1;) alert tcp $HOME_NET any -> [201.191.169.36] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515318/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515318; rev:1;) alert tcp $HOME_NET any -> [201.103.78.162] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515317/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515317; rev:1;) alert tcp $HOME_NET any -> [194.55.245.35] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515316/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515316; rev:1;) alert tcp $HOME_NET any -> [163.181.88.108] 4506 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515315/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515315; rev:1;) alert tcp $HOME_NET any -> [104.248.5.186] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515313/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515313; rev:1;) alert tcp $HOME_NET any -> [172.245.152.21] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515312/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515312; rev:1;) alert tcp $HOME_NET any -> [45.12.150.199] 443 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515311/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515311; rev:1;) alert tcp $HOME_NET any -> [110.40.77.62] 888 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515310/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515310; rev:1;) alert tcp $HOME_NET any -> [172.201.216.161] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515309/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515309; rev:1;) alert tcp $HOME_NET any -> [196.251.118.128] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515306/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515306; rev:1;) alert tcp $HOME_NET any -> [196.251.116.68] 1000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515307/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515307; rev:1;) alert tcp $HOME_NET any -> [23.254.211.137] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515308/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515308; rev:1;) alert tcp $HOME_NET any -> [209.126.11.215] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515305/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515305; rev:1;) alert tcp $HOME_NET any -> [196.251.115.33] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515304; rev:1;) alert tcp $HOME_NET any -> [212.69.86.8] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515301/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515301; rev:1;) alert tcp $HOME_NET any -> [188.93.233.249] 8088 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515302; rev:1;) alert tcp $HOME_NET any -> [185.39.207.40] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515303; rev:1;) alert tcp $HOME_NET any -> [89.117.77.234] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515299; rev:1;) alert tcp $HOME_NET any -> [45.74.15.226] 3402 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515300; rev:1;) alert tcp $HOME_NET any -> [157.20.182.60] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515297/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515297; rev:1;) alert tcp $HOME_NET any -> [139.99.22.173] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515298/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515298; rev:1;) alert tcp $HOME_NET any -> [111.229.219.82] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515295; rev:1;) alert tcp $HOME_NET any -> [154.37.213.163] 3232 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515296; rev:1;) alert tcp $HOME_NET any -> [179.43.186.223] 64555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c1f2a33b.php"; depth:13; nocase; http.host; content:"a1122389.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515293; rev:1;) alert tcp $HOME_NET any -> [45.137.22.100] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qop"; depth:4; nocase; http.host; content:"reczakozmetik.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515290/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eqwu"; depth:5; nocase; http.host; content:"pdisciplipna.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515289/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paxk"; depth:5; nocase; http.host; content:"tortoisgfe.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515288/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juj"; depth:4; nocase; http.host; content:"temedicalbitkisel.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515287/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsk"; depth:5; nocase; http.host; content:"snakejh.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515286/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qop"; depth:4; nocase; http.host; content:"qeczakozmetik.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515285/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gaus"; depth:5; nocase; http.host; content:"formydab.run"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515284/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; nocase; http.host; content:"eczamedikal.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515283/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qop"; depth:4; nocase; http.host; content:"0teczakozmetik.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515282/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tortoisgfe.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515264/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"snakejh.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515265/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515265; rev:1;) alert tcp $HOME_NET any -> [193.233.112.30] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515281/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515281; rev:1;) alert tcp $HOME_NET any -> [13.57.193.25] 39072 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515280/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515280; rev:1;) alert tcp $HOME_NET any -> [42.115.180.118] 4444 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515279/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515279; rev:1;) alert tcp $HOME_NET any -> [191.13.60.99] 8081 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515277/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515277; rev:1;) alert tcp $HOME_NET any -> [172.174.239.189] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515278/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515278; rev:1;) alert tcp $HOME_NET any -> [181.162.152.83] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515276; rev:1;) alert tcp $HOME_NET any -> [209.74.71.198] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515274/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515274; rev:1;) alert tcp $HOME_NET any -> [50.116.22.186] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515275/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515275; rev:1;) alert tcp $HOME_NET any -> [93.115.172.26] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515273/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515273; rev:1;) alert tcp $HOME_NET any -> [192.159.99.105] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515272/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515272; rev:1;) alert tcp $HOME_NET any -> [185.177.239.206] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515270/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515270; rev:1;) alert tcp $HOME_NET any -> [196.251.116.216] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515271/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515271; rev:1;) alert tcp $HOME_NET any -> [89.213.142.173] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515268/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515268; rev:1;) alert tcp $HOME_NET any -> [196.251.73.23] 5002 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515269/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515269; rev:1;) alert tcp $HOME_NET any -> [45.134.48.104] 56002 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515267/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515267; rev:1;) alert tcp $HOME_NET any -> [123.56.82.208] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515266/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profilelayout"; depth:14; nocase; http.host; content:"feedback.5moves2monetizechallenge.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515262/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515262; rev:1;) alert tcp $HOME_NET any -> [166.88.182.191] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"exciteemce.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515241/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dimerabb.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515243/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vennedkufp.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515242/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"slowneyfti.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515244/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"genusmlfhv.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515245/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"iiiowrc.digital"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515246/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"golkii.digital"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515247/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lucasetql.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515248/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"legniveb.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515250/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hallsire.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515249/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"deracieqwg.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515251/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lucidanp.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515252/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"polemodeae.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515253/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"iulianau.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515254/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"neolamraxc.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515255/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jobautoo.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515256/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"circumii.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515257/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wizardschou.digital"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515258/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"peasazp.digital"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515259/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mustelxfzf.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515260/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515260; rev:1;) alert tcp $HOME_NET any -> [209.141.34.106] 12121 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515261/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te4h2nus/login.php"; depth:19; nocase; http.host; content:"185.156.72.96"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515238/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"feedback.5moves2monetizechallenge.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515240/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515240; rev:1;) alert tcp $HOME_NET any -> [38.49.43.40] 443 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515239/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mdexswap.live"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515211/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"thebalan-er.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515212/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dodoexchange.live"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515213/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"v4-biswap.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515214/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"app.kyberwsap.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515215/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"kyberswap-v2.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515216/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.v2-biswap.pro"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515217/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"biswap.org-earn.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515218/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"soildly.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515219/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"exchange.soildly.pro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515220/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.spooky-swap.pro"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515221/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"spooky.io-swap.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515222/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"app.thorswap-v2.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515223/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"thor-swap.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515224/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"v2-mdex.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515225/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ledger.limited"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515230/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"app.rndex.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515226/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.v2-velodrorne.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515227/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"velodrome.finance-superchain.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515228/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"helplive-ledger.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515229/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"kodiak-finance.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515231/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"camelot-swap.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515232/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"camelot-ex.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515234/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"app.rabbltx.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515236/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"camelot.exc-v3.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515233/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeddexexchange.live"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515235/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rabbitx.pro"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515237/; target:src_ip; metadata: confidence_level 50, first_seen 2025_05_02; classtype:trojan-activity; sid:91515237; rev:1;) alert tcp $HOME_NET any -> [185.156.72.96] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515210/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515210; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 60199 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515205/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515205; rev:1;) alert tcp $HOME_NET any -> [147.185.221.28] 10537 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515208/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515208; rev:1;) alert tcp $HOME_NET any -> [5.182.226.142] 33991 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515209/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515209; rev:1;) alert tcp $HOME_NET any -> [216.9.225.168] 14309 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515207/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515207; rev:1;) alert tcp $HOME_NET any -> [216.9.225.168] 14308 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515206/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eqwu"; depth:5; nocase; http.host; content:"rdisciplipna.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515204/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lxaz"; depth:5; nocase; http.host; content:"orjinalecza.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515203/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jub"; depth:4; nocase; http.host; content:"orijinalecza.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515202/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kazd"; depth:5; nocase; http.host; content:"orijinalecza.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515201/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juj"; depth:4; nocase; http.host; content:"medicalbitkisel.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515200/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qop"; depth:4; nocase; http.host; content:"eczakozmetik.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515199/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; nocase; http.host; content:"aeczamedikal.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515198/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515198; rev:1;) alert tcp $HOME_NET any -> [193.26.115.156] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515197/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515197; rev:1;) alert tcp $HOME_NET any -> [43.139.57.190] 42567 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515196/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"82-147-85-160.networktube.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515195/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515195; rev:1;) alert tcp $HOME_NET any -> [172.111.151.97] 81 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515194/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515194; rev:1;) alert tcp $HOME_NET any -> [196.251.116.216] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515191/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515191; rev:1;) alert tcp $HOME_NET any -> [196.251.116.216] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515192/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515192; rev:1;) alert tcp $HOME_NET any -> [176.65.141.56] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515193/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515193; rev:1;) alert tcp $HOME_NET any -> [54.69.65.62] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te4h2nus/index.php"; depth:19; nocase; http.host; content:"185.156.72.96"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515189/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"otototototoqqlfk.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515185/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dasopdoaodoaoaoao.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515186; rev:1;) alert tcp $HOME_NET any -> [178.156.169.224] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515188/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515188; rev:1;) alert tcp $HOME_NET any -> [206.217.141.249] 9080 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515187/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orjinalecza.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eczakozmetik.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orijinalecza.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eczamedikal.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"medicalbitkisel.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515154; rev:1;) alert tcp $HOME_NET any -> [89.19.209.162] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515182/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515182; rev:1;) alert tcp $HOME_NET any -> [89.19.211.19] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515183/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515183; rev:1;) alert tcp $HOME_NET any -> [89.208.243.215] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515184/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515184; rev:1;) alert tcp $HOME_NET any -> [35.71.161.85] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515181/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515181; rev:1;) alert tcp $HOME_NET any -> [34.224.53.176] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515180/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515180; rev:1;) alert tcp $HOME_NET any -> [2.58.87.58] 12165 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515179/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515179; rev:1;) alert tcp $HOME_NET any -> [18.166.221.94] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515178/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515178; rev:1;) alert tcp $HOME_NET any -> [15.197.202.170] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515177/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get64.gif"; depth:10; nocase; http.host; content:"18.166.113.176"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515176/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515176; rev:1;) alert tcp $HOME_NET any -> [108.128.25.49] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515175/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515175; rev:1;) alert tcp $HOME_NET any -> [51.68.235.80] 10000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515174/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515174; rev:1;) alert tcp $HOME_NET any -> [167.86.172.163] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515173/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515173; rev:1;) alert tcp $HOME_NET any -> [206.238.42.172] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515172/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515172; rev:1;) alert tcp $HOME_NET any -> [18.167.254.207] 4444 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515171/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515171; rev:1;) alert tcp $HOME_NET any -> [37.72.168.146] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515170; rev:1;) alert tcp $HOME_NET any -> [172.174.239.189] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515169; rev:1;) alert tcp $HOME_NET any -> [154.61.80.193] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515168; rev:1;) alert tcp $HOME_NET any -> [94.141.122.175] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515165; rev:1;) alert tcp $HOME_NET any -> [94.103.90.125] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515166; rev:1;) alert tcp $HOME_NET any -> [91.92.46.192] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515167; rev:1;) alert tcp $HOME_NET any -> [155.138.146.111] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515164; rev:1;) alert tcp $HOME_NET any -> [54.208.187.156] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515163; rev:1;) alert tcp $HOME_NET any -> [47.92.222.219] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515160; rev:1;) alert tcp $HOME_NET any -> [128.90.106.213] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515161; rev:1;) alert tcp $HOME_NET any -> [128.90.106.213] 4000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515162; rev:1;) alert tcp $HOME_NET any -> [176.65.141.56] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515157; rev:1;) alert tcp $HOME_NET any -> [176.65.141.56] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515158; rev:1;) alert tcp $HOME_NET any -> [124.198.131.141] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515159; rev:1;) alert tcp $HOME_NET any -> [2.56.109.21] 4444 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515156; rev:1;) alert tcp $HOME_NET any -> [54.244.226.5] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515155; rev:1;) alert tcp $HOME_NET any -> [94.26.90.81] 4441 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515149/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vpep"; depth:5; nocase; http.host; content:"wscriptao.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515148/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowp"; depth:5; nocase; http.host; content:"pbrandihx.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515147/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asuz"; depth:5; nocase; http.host; content:"9baseurzv.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515146/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vepr"; depth:5; nocase; http.host; content:"mtpraetori.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515145/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/werrp"; depth:6; nocase; http.host; content:"hgcivitasu.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515144/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eqwu"; depth:5; nocase; http.host; content:"8disciplipna.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515143/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/werrp"; depth:6; nocase; http.host; content:"4civitasu.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515142/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keaj"; depth:5; nocase; http.host; content:"1opusculy.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515140/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/laopx"; depth:6; nocase; http.host; content:"2viriatoe.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515141/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"157.180.94.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riid"; depth:5; nocase; http.host; content:"otechsyncq.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515138/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbak"; depth:5; nocase; http.host; content:"obtcgeared.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515137/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tajsh"; depth:6; nocase; http.host; content:"aureliae.run"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515136/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515136; rev:1;) alert tcp $HOME_NET any -> [176.65.148.181] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514695/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91514695; rev:1;) alert tcp $HOME_NET any -> [176.65.141.49] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515104; rev:1;) alert tcp $HOME_NET any -> [176.65.141.49] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515105; rev:1;) alert tcp $HOME_NET any -> [176.65.141.49] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515106; rev:1;) alert tcp $HOME_NET any -> [94.26.90.242] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unifi.ekefi.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515108; rev:1;) alert tcp $HOME_NET any -> [2.57.241.105] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515109; rev:1;) alert tcp $HOME_NET any -> [119.42.148.190] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515110; rev:1;) alert tcp $HOME_NET any -> [124.220.103.88] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515113; rev:1;) alert tcp $HOME_NET any -> [46.8.226.58] 43 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515111; rev:1;) alert tcp $HOME_NET any -> [103.127.135.159] 8081 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515112; rev:1;) alert tcp $HOME_NET any -> [34.228.180.108] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515114; rev:1;) alert tcp $HOME_NET any -> [20.61.246.192] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515115; rev:1;) alert tcp $HOME_NET any -> [172.105.191.247] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515116; rev:1;) alert tcp $HOME_NET any -> [78.153.246.59] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515117/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515117; rev:1;) alert tcp $HOME_NET any -> [154.53.45.115] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515118; rev:1;) alert tcp $HOME_NET any -> [3.144.250.1] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515119; rev:1;) alert tcp $HOME_NET any -> [13.61.16.44] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515120; rev:1;) alert tcp $HOME_NET any -> [13.212.48.24] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515121; rev:1;) alert tcp $HOME_NET any -> [35.169.199.214] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515122; rev:1;) alert tcp $HOME_NET any -> [35.156.44.111] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515123; rev:1;) alert tcp $HOME_NET any -> [140.125.82.35] 8088 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515124; rev:1;) alert tcp $HOME_NET any -> [54.175.68.127] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515125; rev:1;) alert tcp $HOME_NET any -> [13.60.81.104] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515126; rev:1;) alert tcp $HOME_NET any -> [83.228.193.254] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515127; rev:1;) alert tcp $HOME_NET any -> [13.201.190.104] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515128; rev:1;) alert tcp $HOME_NET any -> [65.0.183.6] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stat.bluetroniq.vip"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"raw.intenseproxy.zip"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515103/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515103; rev:1;) alert tcp $HOME_NET any -> [193.200.78.28] 33966 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515101/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91515101; rev:1;) alert tcp $HOME_NET any -> [45.141.233.108] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515102; rev:1;) alert tcp $HOME_NET any -> [194.67.206.185] 6547 (msg:"ThreatFox Empire Downloader payload delivery (ip:port - confidence level: 25%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514693/; target:src_ip; metadata: confidence_level 25, first_seen 2025_05_02; classtype:trojan-activity; sid:91514693; rev:1;) alert tcp $HOME_NET any -> [176.65.148.181] 12121 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514694/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91514694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tnop.pages.dev"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"salorttactical.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"septembergoodwine.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mesip.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"triremeo.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514670/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xap"; depth:4; nocase; http.host; content:"dogalmedical.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514671/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"girlsgrain.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515135; rev:1;) alert tcp $HOME_NET any -> [205.198.85.99] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515132; rev:1;) alert tcp $HOME_NET any -> [154.21.201.16] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515133; rev:1;) alert tcp $HOME_NET any -> [147.185.221.28] 6997 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515131; rev:1;) alert tcp $HOME_NET any -> [93.198.188.83] 81 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1515130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kasicamondan.mentality.cloud"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"categories-survivors.gl.at.ply.gg"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1515100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewqd"; depth:5; nocase; http.host; content:"3jawdedmirror.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"8quilltayle.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hdaf"; depth:5; nocase; http.host; content:"moleqew.run"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xawi"; depth:5; nocase; http.host; content:"7lonfgshadow.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xasj"; depth:5; nocase; http.host; content:"3tliftally.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytus"; depth:5; nocase; http.host; content:"gpiratetwrath.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeda"; depth:5; nocase; http.host; content:"dzestmodp.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teui"; depth:5; nocase; http.host; content:"alatitudert.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ansbwqy"; depth:8; nocase; http.host; content:"4esccapewz.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xasj"; depth:5; nocase; http.host; content:"eliftally.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teui"; depth:5; nocase; http.host; content:"zlatitudert.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytus"; depth:5; nocase; http.host; content:"ipiratetwrath.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xapp"; depth:5; nocase; http.host; content:"f.hemispherexz.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reiq"; depth:5; nocase; http.host; content:"buequatorf.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqbdz"; depth:6; nocase; http.host; content:"gsmartbitsx.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tnaj"; depth:5; nocase; http.host; content:"mexratet.digital"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"0nighetwhisper.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsooz"; depth:6; nocase; http.host; content:"2salaccgfa.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoxo"; depth:5; nocase; http.host; content:"c0clarmodq.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wizu"; depth:5; nocase; http.host; content:"qlongitudde.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoxo"; depth:5; nocase; http.host; content:"o3clarmodq.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515081/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlak"; depth:5; nocase; http.host; content:"xtopographky.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pokl"; depth:5; nocase; http.host; content:"revomodm.run"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewqd"; depth:5; nocase; http.host; content:"2zjawdedmirror.run"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515070/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeda"; depth:5; nocase; http.host; content:"pzestmodp.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515071/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytus"; depth:5; nocase; http.host; content:"npiratetwrath.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewqd"; depth:5; nocase; http.host; content:"6kjawdedmirror.run"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuyd"; depth:5; nocase; http.host; content:"okapigdf.run"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoxo"; depth:5; nocase; http.host; content:"eclarmodq.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/noagis"; depth:7; nocase; http.host; content:"cywmedici.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515063/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeda"; depth:5; nocase; http.host; content:"2zestmodp.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515064/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"pnighetwhisper.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515065/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewqd"; depth:5; nocase; http.host; content:"njawdedmirror.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515066/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"kquilltayle.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"aclimatologfy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"0biosphxere.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/thnb"; depth:5; nocase; http.host; content:"jproenhann.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geps"; depth:5; nocase; http.host; content:"n9changeaie.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515059/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xawi"; depth:5; nocase; http.host; content:"frlonfgshadow.live"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515060/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oagx"; depth:5; nocase; http.host; content:"wawrdenshire.digital"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"zgeographys.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytus"; depth:5; nocase; http.host; content:"apiratetwrath.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tequ"; depth:5; nocase; http.host; content:"zfishgh.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515052/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"jbiosphxere.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515053/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlak"; depth:5; nocase; http.host; content:"z1topographky.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewqd"; depth:5; nocase; http.host; content:"yjawdedmirror.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"8jgeographys.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515056/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"qbiosphxere.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wizu"; depth:5; nocase; http.host; content:"alongitudde.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515046/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/askwjq"; depth:7; nocase; http.host; content:"ztouvrlane.bet"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515047/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"pquilltayle.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515048/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"oclimatologfy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"jclimatologfy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515050/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banb"; depth:5; nocase; http.host; content:"wvigorbridgoe.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515045/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xapp"; depth:5; nocase; http.host; content:"chemispherexz.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515039/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"wpquilltayle.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515040/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"zstarofliught.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515041/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teui"; depth:5; nocase; http.host; content:"8latitudert.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515042/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qopy"; depth:5; nocase; http.host; content:"6owlflright.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515043/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geps"; depth:5; nocase; http.host; content:"0changeaie.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515044/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banb"; depth:5; nocase; http.host; content:"lvigorbridgoe.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"zbstarofliught.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515033/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlak"; depth:5; nocase; http.host; content:"ztopographky.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515034/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewqd"; depth:5; nocase; http.host; content:"h2jawdedmirror.run"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515035/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/torieu"; depth:7; nocase; http.host; content:"porpoisecx.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515036/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agio"; depth:5; nocase; http.host; content:"lancefighsg.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515037/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tgre"; depth:5; nocase; http.host; content:"sdynamiczl.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515038/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewqd"; depth:5; nocase; http.host; content:"etjawdedmirror.run"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515025/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ixau"; depth:5; nocase; http.host; content:"ocartograhphy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515026/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banb"; depth:5; nocase; http.host; content:"pvigorbridgoe.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515027/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuwxx"; depth:6; nocase; http.host; content:"mtropiscbs.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515028/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeda"; depth:5; nocase; http.host; content:"l2zestmodp.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsooz"; depth:6; nocase; http.host; content:"hsalaccgfa.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewqd"; depth:5; nocase; http.host; content:"bjawdedmirror.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qopy"; depth:5; nocase; http.host; content:"jowlflright.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515024/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsooz"; depth:6; nocase; http.host; content:"1salaccgfa.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoi"; depth:5; nocase; http.host; content:"econnit.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xawi"; depth:5; nocase; http.host; content:"nlonfgshadow.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"ystarofliught.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xapp"; depth:5; nocase; http.host; content:"7hemispherexz.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geps"; depth:5; nocase; http.host; content:"kchangeaie.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oage"; depth:5; nocase; http.host; content:"8pepperiop.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515014/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agaosnd"; depth:8; nocase; http.host; content:"anemonebv.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515015/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlak"; depth:5; nocase; http.host; content:"gtopographky.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oapd"; depth:5; nocase; http.host; content:"stoatrt.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tanb"; depth:5; nocase; http.host; content:"slovenecow.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/babo"; depth:5; nocase; http.host; content:"afreeconx.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geps"; depth:5; nocase; http.host; content:"dchangeaie.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xapp"; depth:5; nocase; http.host; content:"4hemispherexz.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewqd"; depth:5; nocase; http.host; content:"ajawdedmirror.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsooz"; depth:6; nocase; http.host; content:"5salaccgfa.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/azxs"; depth:5; nocase; http.host; content:"i6easyfwdr.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"nquilltayle.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"hstarofliught.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515001/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/idjj"; depth:5; nocase; http.host; content:"pldcbus.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515002/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytus"; depth:5; nocase; http.host; content:"2piratetwrath.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515003/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"lstarofliught.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515004/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reiq"; depth:5; nocase; http.host; content:"sequatorf.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qopy"; depth:5; nocase; http.host; content:"2owlflright.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1515000/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91515000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"4biosphxere.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514995/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qopy"; depth:5; nocase; http.host; content:"cowlflright.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"8fstarofliught.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514997/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xaps"; depth:5; nocase; http.host; content:"antelopej.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514998/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ekdlsk"; depth:7; nocase; http.host; content:"uspacedbv.world"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514999/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xawi"; depth:5; nocase; http.host; content:"3lonfgshadow.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514991/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"cxquilltayle.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514992/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"wqeinqene.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514993/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teui"; depth:5; nocase; http.host; content:"5latitudert.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514994/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewqd"; depth:5; nocase; http.host; content:"lyjawdedmirror.run"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514986/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bayz"; depth:5; nocase; http.host; content:"xagroeconb.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514987/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"yhqclimatologfy.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514988/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qopy"; depth:5; nocase; http.host; content:"a.owlflright.digital"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514989/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"kgeographys.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514990/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aopi"; depth:5; nocase; http.host; content:"turtlery.run"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514979/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"anighetwhisper.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514980/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reiq"; depth:5; nocase; http.host; content:"wequatorf.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514981/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"6geographys.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514982/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teui"; depth:5; nocase; http.host; content:"0latitudert.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514983/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wizu"; depth:5; nocase; http.host; content:"4longitudde.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514984/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"iquilltayle.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514985/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ixau"; depth:5; nocase; http.host; content:"wcartograhphy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514974/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gposzd"; depth:7; nocase; http.host; content:"btwilitghtarc.live"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514975/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gant"; depth:5; nocase; http.host; content:"econbult.live"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514976/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"2starofliught.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514977/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dzkl"; depth:5; nocase; http.host; content:"scriptorumh.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514978/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoxo"; depth:5; nocase; http.host; content:"4uclarmodq.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514968/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"fkbiosphxere.digital"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514969/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rqwr"; depth:5; nocase; http.host; content:"indoeconw.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514970/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytus"; depth:5; nocase; http.host; content:"bpiratetwrath.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514971/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"0hgeographys.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514972/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"mwtquilltayle.live"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514973/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dasbuz"; depth:7; nocase; http.host; content:"quselfdefens.bet"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514960/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qopy"; depth:5; nocase; http.host; content:"r43owlflright.digital"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514961/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wizu"; depth:5; nocase; http.host; content:"yglongitudde.digital"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514962/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"8nighetwhisper.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514963/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"n5biosphxere.digital"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514964/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qopy"; depth:5; nocase; http.host; content:"4owlflright.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514965/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeda"; depth:5; nocase; http.host; content:"6zestmodp.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514966/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"0climatologfy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514967/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlak"; depth:5; nocase; http.host; content:"q0topographky.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514955/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/noagis"; depth:7; nocase; http.host; content:"4ywmedici.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514956/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qopy"; depth:5; nocase; http.host; content:"1owlflright.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514957/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktnt"; depth:5; nocase; http.host; content:"cbuzzarddf.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514958/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"8woodpeckersd.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514959/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsooz"; depth:6; nocase; http.host; content:"nsalaccgfa.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514951/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geps"; depth:5; nocase; http.host; content:"1changeaie.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514952/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banb"; depth:5; nocase; http.host; content:"svigorbridgoe.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514953/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iozz"; depth:5; nocase; http.host; content:"dorangemyther.live"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514954/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqbdz"; depth:6; nocase; http.host; content:"smartbitsx.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514948/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tooz"; depth:5; nocase; http.host; content:"stratinfot.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514949/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"hclimatologfy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514950/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"sclimatologfy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514942/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pttb-opi.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514943/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anzs"; depth:5; nocase; http.host; content:"vlmrodularmall.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514944/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsooz"; depth:6; nocase; http.host; content:"8esalaccgfa.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514945/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsooz"; depth:6; nocase; http.host; content:"tsalaccgfa.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514946/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytus"; depth:5; nocase; http.host; content:"qpiratetwrath.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514947/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xawi"; depth:5; nocase; http.host; content:"ulonfgshadow.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"nstarofliught.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"ygeographys.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514938/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlak"; depth:5; nocase; http.host; content:"a9topographky.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qopy"; depth:5; nocase; http.host; content:"9owlflright.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514940/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xasj"; depth:5; nocase; http.host; content:"2liftally.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514941/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"cstarofliught.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514931/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reiq"; depth:5; nocase; http.host; content:"oequatorf.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514932/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geps"; depth:5; nocase; http.host; content:"zchangeaie.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yhio"; depth:5; nocase; http.host; content:"hedgehocvg.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514934/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xapp"; depth:5; nocase; http.host; content:"themispherexz.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewqd"; depth:5; nocase; http.host; content:"ojawdedmirror.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teui"; depth:5; nocase; http.host; content:"hzlatitudert.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gspaz"; depth:6; nocase; http.host; content:"7xrfxcaseq.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"50woodpeckersd.run"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kensj"; depth:6; nocase; http.host; content:"atirflee.world"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"e0ynighetwhisper.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoxo"; depth:5; nocase; http.host; content:"oclarmodq.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qopwe"; depth:6; nocase; http.host; content:"hdragoqnfly.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoxo"; depth:5; nocase; http.host; content:"uclarmodq.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514923/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danjhw"; depth:7; nocase; http.host; content:"gcrosshairc.life"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teui"; depth:5; nocase; http.host; content:"lmlatitudert.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytus"; depth:5; nocase; http.host; content:"9piratetwrath.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banb"; depth:5; nocase; http.host; content:"v3nvigorbridgoe.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"2biosphxere.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xasj"; depth:5; nocase; http.host; content:"fjliftally.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514912/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"gnighetwhisper.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514913/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alosnz"; depth:7; nocase; http.host; content:"awxayfarer.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514914/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gkaozj"; depth:7; nocase; http.host; content:"rugbybrign.life"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514915/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"mquilltayle.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"asylumejkr.icu"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514907/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytus"; depth:5; nocase; http.host; content:"fpiratetwrath.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514908/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xapp"; depth:5; nocase; http.host; content:"6hemispherexz.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514909/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wizu"; depth:5; nocase; http.host; content:"llongitudde.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514910/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geps"; depth:5; nocase; http.host; content:"jchangeaie.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514911/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qopy"; depth:5; nocase; http.host; content:"bowlflright.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514904/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xapp"; depth:5; nocase; http.host; content:"nhemispherexz.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514905/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asjnzh"; depth:7; nocase; http.host; content:"gsighbtseeing.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514906/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ixau"; depth:5; nocase; http.host; content:"0cartograhphy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514900/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banb"; depth:5; nocase; http.host; content:"zdvigorbridgoe.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514901/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xasj"; depth:5; nocase; http.host; content:"zliftally.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514902/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tured"; depth:6; nocase; http.host; content:"ybardcauft.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514903/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewqd"; depth:5; nocase; http.host; content:"zjawdedmirror.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514896/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ixau"; depth:5; nocase; http.host; content:"kcartograhphy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514897/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"uquilltayle.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514898/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqwozp"; depth:7; nocase; http.host; content:"silveyrmoon.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514899/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xxepw"; depth:6; nocase; http.host; content:"ggrxeasyw.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514889/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zqwig"; depth:6; nocase; http.host; content:"valortruade.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514890/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"n6nighetwhisper.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514891/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksiio"; depth:7; nocase; http.host; content:"xadvennture.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514892/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geps"; depth:5; nocase; http.host; content:"5changeaie.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514893/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kfwo"; depth:5; nocase; http.host; content:"zfurrycomp.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514894/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wpoo"; depth:5; nocase; http.host; content:"ofreshenqew.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514895/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nghsaya"; depth:8; nocase; http.host; content:"3weaponwo.life"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514886/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"jquilltayle.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514887/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"lnighetwhisper.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514888/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teui"; depth:5; nocase; http.host; content:"xlatitudert.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514883/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qopy"; depth:5; nocase; http.host; content:"0owlflright.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514884/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoxo"; depth:5; nocase; http.host; content:"2clarmodq.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514885/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ixau"; depth:5; nocase; http.host; content:"4cartograhphy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514877/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dasbuz"; depth:7; nocase; http.host; content:"1selfdefens.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514878/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qopy"; depth:5; nocase; http.host; content:"7owlflright.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514879/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeda"; depth:5; nocase; http.host; content:"v0zestmodp.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514880/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuwxx"; depth:6; nocase; http.host; content:"vtropiscbs.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514881/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"sstarofliught.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514882/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nahd"; depth:5; nocase; http.host; content:"wznxcelmodo.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514874/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rtdd"; depth:5; nocase; http.host; content:"antilcvope.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514875/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/noagis"; depth:7; nocase; http.host; content:"rmywmedici.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514876/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gpazdg"; depth:7; nocase; http.host; content:"knightliyway.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514869/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xasj"; depth:5; nocase; http.host; content:"nliftally.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514870/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlak"; depth:5; nocase; http.host; content:"etopographky.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514871/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"2nighetwhisper.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514872/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"gclimatologfy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514873/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"5quilltayle.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514866/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"0woodpeckersd.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514867/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/btnf"; depth:5; nocase; http.host; content:"qsectorecoo.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514868/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytus"; depth:5; nocase; http.host; content:"hpiratetwrath.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514862/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qopy"; depth:5; nocase; http.host; content:"eowlflright.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514863/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"8climatologfy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514864/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/giaozp"; depth:7; nocase; http.host; content:"devloopt.live"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514865/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xasj"; depth:5; nocase; http.host; content:"5liftally.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514857/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsooz"; depth:6; nocase; http.host; content:"4salaccgfa.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514858/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlak"; depth:5; nocase; http.host; content:"atopographky.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514859/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"znighetwhisper.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514860/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teui"; depth:5; nocase; http.host; content:"flatitudert.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514861/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geps"; depth:5; nocase; http.host; content:"z9changeaie.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514850/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eosz"; depth:5; nocase; http.host; content:"4veasyupgw.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514851/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xasj"; depth:5; nocase; http.host; content:"1liftally.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514852/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aoiz"; depth:5; nocase; http.host; content:"0darjkafsg.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514853/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xawi"; depth:5; nocase; http.host; content:"2lonfgshadow.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514854/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqow"; depth:5; nocase; http.host; content:"hungreecoq.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514855/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ijnn"; depth:5; nocase; http.host; content:"jellyfisnbnh.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514856/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"6climatologfy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514845/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"7woodpeckersd.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514846/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/benj"; depth:5; nocase; http.host; content:"7bearjk.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514847/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xasj"; depth:5; nocase; http.host; content:"43liftally.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514848/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/poai"; depth:5; nocase; http.host; content:"hgazellevb.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514849/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wizu"; depth:5; nocase; http.host; content:"clongitudde.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514840/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pqowen"; depth:7; nocase; http.host; content:"steelgoy.run"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514841/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qopwe"; depth:6; nocase; http.host; content:"dragoqnfly.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514842/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tikl"; depth:5; nocase; http.host; content:"2newzeconi.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514843/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeda"; depth:5; nocase; http.host; content:"0r.zestmodp.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514844/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"3-starofliught.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514838/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"n24nighetwhisper.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514839/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tured"; depth:6; nocase; http.host; content:"h9bardcauft.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514836/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/znxbhi"; depth:7; nocase; http.host; content:"rtravewlio.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514837/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teui"; depth:5; nocase; http.host; content:"jlatitudert.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514832/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agji"; depth:5; nocase; http.host; content:"econbele.digital"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514833/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xaebyd"; depth:7; nocase; http.host; content:"mutedhofrn.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514834/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ixau"; depth:5; nocase; http.host; content:"rcartograhphy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514835/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dbips"; depth:6; nocase; http.host; content:"bcjlaspcorne.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514831/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeda"; depth:5; nocase; http.host; content:"6fzestmodp.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514829/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"0quilltayle.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514830/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"ibiosphxere.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514825/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gids"; depth:5; nocase; http.host; content:"telvernwood.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514826/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsooz"; depth:6; nocase; http.host; content:"lsalaccgfa.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514827/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuwxx"; depth:6; nocase; http.host; content:"9tropiscbs.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514828/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aniodg"; depth:7; nocase; http.host; content:"udrbettere.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514822/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teui"; depth:5; nocase; http.host; content:"qlatitudert.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514823/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wizu"; depth:5; nocase; http.host; content:"1longitudde.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514824/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"estarofliught.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514817/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gspaz"; depth:6; nocase; http.host; content:"jxrfxcaseq.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514818/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsazx"; depth:6; nocase; http.host; content:"ferrexz.run"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514819/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"3starofliught.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514820/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xasj"; depth:5; nocase; http.host; content:"4liftally.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514821/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banb"; depth:5; nocase; http.host; content:"7vigorbridgoe.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514811/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dasbuz"; depth:7; nocase; http.host; content:"pselfdefens.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514812/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"9geographys.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514813/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xapp"; depth:5; nocase; http.host; content:"vhemispherexz.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514814/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"nnighetwhisper.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514815/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reiq"; depth:5; nocase; http.host; content:"0equatorf.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514816/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dksuq"; depth:6; nocase; http.host; content:"triggerte.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514805/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aeui"; depth:5; nocase; http.host; content:"hmediaflowq.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514806/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktnt"; depth:5; nocase; http.host; content:"abuzzarddf.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514807/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xasj"; depth:5; nocase; http.host; content:"jliftally.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514808/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeda"; depth:5; nocase; http.host; content:"gqzestmodp.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514809/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"6starofliught.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514810/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"enighetwhisper.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514803/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gnny"; depth:5; nocase; http.host; content:"techfocusm.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514804/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tnpp"; depth:5; nocase; http.host; content:"rebuildecuon.digital"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514800/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teui"; depth:5; nocase; http.host; content:"hlatitudert.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514801/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ixau"; depth:5; nocase; http.host; content:"ycartograhphy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514802/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gids"; depth:5; nocase; http.host; content:"8elvernwood.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514795/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"9quilltayle.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514796/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"xgeographys.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514797/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"n3climatologfy.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514798/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xasj"; depth:5; nocase; http.host; content:"7liftally.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514799/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeda"; depth:5; nocase; http.host; content:"9zestmodp.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514792/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"pwoodpeckersd.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514793/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/foajsi"; depth:7; nocase; http.host; content:"cnavstarx.shop"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514794/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"mbnighetwhisper.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514786/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytus"; depth:5; nocase; http.host; content:"0piratetwrath.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514787/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reiq"; depth:5; nocase; http.host; content:"ibequatorf.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514788/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teui"; depth:5; nocase; http.host; content:"dlatitudert.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514789/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"jnighetwhisper.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514790/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qopy"; depth:5; nocase; http.host; content:"zowlflright.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514791/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tured"; depth:6; nocase; http.host; content:"zbardcauft.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514782/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wizu"; depth:5; nocase; http.host; content:"elongitudde.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514783/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytus"; depth:5; nocase; http.host; content:"t9piratetwrath.run"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514784/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytus"; depth:5; nocase; http.host; content:"ppiratetwrath.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514785/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xapp"; depth:5; nocase; http.host; content:"fhemispherexz.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514777/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wizu"; depth:5; nocase; http.host; content:"blongitudde.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514778/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsooz"; depth:6; nocase; http.host; content:"t.salaccgfa.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514779/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reiq"; depth:5; nocase; http.host; content:"requatorf.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514780/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewqd"; depth:5; nocase; http.host; content:"hjawdedmirror.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514781/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewqd"; depth:5; nocase; http.host; content:"3wjawdedmirror.run"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514774/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vtys"; depth:5; nocase; http.host; content:"falcondfy.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514775/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shpaoz"; depth:7; nocase; http.host; content:"tjrxsafer.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514776/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xasj"; depth:5; nocase; http.host; content:"dliftally.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514772/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nogsz"; depth:6; nocase; http.host; content:"thiefbshadow.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514773/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anbr"; depth:5; nocase; http.host; content:"japeconu.run"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514768/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xewqz"; depth:6; nocase; http.host; content:"medievalarth.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514769/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geps"; depth:5; nocase; http.host; content:"8changeaie.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514770/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ansbwqy"; depth:8; nocase; http.host; content:"9esccapewz.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514771/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewqd"; depth:5; nocase; http.host; content:"tjawdedmirror.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514764/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xasj"; depth:5; nocase; http.host; content:"9liftally.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514765/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeda"; depth:5; nocase; http.host; content:"zzestmodp.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514766/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tured"; depth:6; nocase; http.host; content:"lbardcauft.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514767/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oipz"; depth:5; nocase; http.host; content:"techwaveg.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514760/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geps"; depth:5; nocase; http.host; content:"4.changeaie.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514761/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pozz"; depth:5; nocase; http.host; content:"techmindj.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514762/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tured"; depth:6; nocase; http.host; content:"gbardcauft.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514763/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"82quilltayle.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514756/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeda"; depth:5; nocase; http.host; content:"fzestmodp.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514757/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tnaj"; depth:5; nocase; http.host; content:"mmexratet.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514758/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aisopzs"; depth:8; nocase; http.host; content:"neburonz.shop"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514759/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xapp"; depth:5; nocase; http.host; content:"phemispherexz.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514752/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wiqza"; depth:6; nocase; http.host; content:"wizardholdp.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514753/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"dnighetwhisper.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514754/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geps"; depth:5; nocase; http.host; content:"nechangeaie.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514755/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"inighetwhisper.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514746/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"uugeographys.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514747/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nghsaya"; depth:8; nocase; http.host; content:"gbweaponwo.life"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514748/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reiq"; depth:5; nocase; http.host; content:"dequatorf.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514749/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banb"; depth:5; nocase; http.host; content:"i5svigorbridgoe.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514750/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"zquilltayle.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514751/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"cwoodpeckersd.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514741/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuwxx"; depth:6; nocase; http.host; content:"xtropiscbs.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514742/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"w7quilltayle.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514743/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsooz"; depth:6; nocase; http.host; content:"xsalaccgfa.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514744/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oiwq"; depth:5; nocase; http.host; content:"spiderq.run"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514745/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xawi"; depth:5; nocase; http.host; content:"9rlonfgshadow.live"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514735/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"kclimatologfy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514736/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"9biosphxere.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514737/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsooz"; depth:6; nocase; http.host; content:"kosalaccgfa.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514738/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"onighetwhisper.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514739/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teui"; depth:5; nocase; http.host; content:"wlatitudert.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514740/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aeui"; depth:5; nocase; http.host; content:"kmediaflowq.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514732/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"swoodpeckersd.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514733/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewqd"; depth:5; nocase; http.host; content:"mjawdedmirror.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514734/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wizu"; depth:5; nocase; http.host; content:"4mlongitudde.digital"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514726/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teui"; depth:5; nocase; http.host; content:"olatitudert.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514727/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ferry-champage.cyou"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514728/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogda"; depth:5; nocase; http.host; content:"dbxattlepath.digital"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514729/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dabyyaz"; depth:8; nocase; http.host; content:"0tpistolpra.bet"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514730/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qpte"; depth:5; nocase; http.host; content:"nzealjkh.digital"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514731/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytus"; depth:5; nocase; http.host; content:"xx9piratetwrath.run"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514720/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xasj"; depth:5; nocase; http.host; content:"xliftally.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsoiao"; depth:7; nocase; http.host; content:"asoursopsf.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514722/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoxo"; depth:5; nocase; http.host; content:"jclarmodq.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reiq"; depth:5; nocase; http.host; content:"hequatorf.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514724/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geps"; depth:5; nocase; http.host; content:"achangeaie.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514725/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"z2starofliught.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514719/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514719; rev:1;) alert tcp $HOME_NET any -> [47.92.75.101] 50014 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514718/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91514718; rev:1;) alert tcp $HOME_NET any -> [198.13.33.74] 3332 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514717/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91514717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbwy"; depth:5; nocase; http.host; content:"45.61.136.220"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514716/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91514716; rev:1;) alert tcp $HOME_NET any -> [111.90.150.101] 4088 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514715/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_02; classtype:trojan-activity; sid:91514715; rev:1;) alert tcp $HOME_NET any -> [194.180.158.14] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514714/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514714; rev:1;) alert tcp $HOME_NET any -> [155.2.192.168] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514713/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514713; rev:1;) alert tcp $HOME_NET any -> [74.234.48.86] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514712/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514712; rev:1;) alert tcp $HOME_NET any -> [152.67.26.134] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514711/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ij.jioksdf.art"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514709/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514709; rev:1;) alert tcp $HOME_NET any -> [23.95.247.249] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514710/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514710; rev:1;) alert tcp $HOME_NET any -> [181.161.13.66] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514708/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514708; rev:1;) alert tcp $HOME_NET any -> [5.252.155.84] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514706/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514706; rev:1;) alert tcp $HOME_NET any -> [213.209.150.234] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514707/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514707; rev:1;) alert tcp $HOME_NET any -> [155.138.146.111] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514705/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514705; rev:1;) alert tcp $HOME_NET any -> [50.116.22.186] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514704/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514704; rev:1;) alert tcp $HOME_NET any -> [167.172.135.43] 2202 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514703/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514703; rev:1;) alert tcp $HOME_NET any -> [172.81.60.38] 8000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514702/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514702; rev:1;) alert tcp $HOME_NET any -> [38.76.247.230] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514701/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514701; rev:1;) alert tcp $HOME_NET any -> [172.65.183.142] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514700/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514700; rev:1;) alert tcp $HOME_NET any -> [196.251.73.23] 5000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514699/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514699; rev:1;) alert tcp $HOME_NET any -> [196.251.116.226] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514698/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514698; rev:1;) alert tcp $HOME_NET any -> [103.167.89.81] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514697/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514697; rev:1;) alert tcp $HOME_NET any -> [45.204.6.51] 25565 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514696/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_02; classtype:trojan-activity; sid:91514696; rev:1;) alert tcp $HOME_NET any -> [185.238.72.167] 8001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514692/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514692; rev:1;) alert tcp $HOME_NET any -> [91.107.124.248] 9300 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514691/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514691; rev:1;) alert tcp $HOME_NET any -> [77.110.110.194] 443 (msg:"ThreatFox Eye Pyramid botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514690/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514690; rev:1;) alert tcp $HOME_NET any -> [70.31.125.144] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514689/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514689; rev:1;) alert tcp $HOME_NET any -> [194.59.30.170] 2558 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514688/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514688; rev:1;) alert tcp $HOME_NET any -> [140.83.57.161] 6443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514687/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/012ed364.php"; depth:13; nocase; http.host; content:"dobriyk8.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514684; rev:1;) alert tcp $HOME_NET any -> [45.81.23.47] 1777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514683; rev:1;) alert tcp $HOME_NET any -> [179.13.10.232] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514682; rev:1;) alert tcp $HOME_NET any -> [23.227.199.118] 11443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514681; rev:1;) alert tcp $HOME_NET any -> [179.13.10.232] 8082 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514680; rev:1;) alert tcp $HOME_NET any -> [185.38.142.101] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514679/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514679; rev:1;) alert tcp $HOME_NET any -> [14.103.131.0] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514678/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"campsitegradually.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"23-227-199-118.static.hvvc.us"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514673; rev:1;) alert tcp $HOME_NET any -> [38.60.223.175] 8989 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514672/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514672; rev:1;) alert tcp $HOME_NET any -> [157.180.94.222] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wermnjgk34"; depth:11; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514668/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asdawfq"; depth:8; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514669; rev:1;) alert tcp $HOME_NET any -> [172.111.244.103] 8347 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514667/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dogalmedical.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.91.201.178"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514664; rev:1;) alert tcp $HOME_NET any -> [45.91.201.178] 5173 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514665/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xzea"; depth:5; nocase; http.host; content:"lcorexlaib.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514662/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"progress.moneymatrixonline.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profilelayout"; depth:14; nocase; http.host; content:"progress.moneymatrixonline.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514660/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514660; rev:1;) alert tcp $HOME_NET any -> [144.202.59.71] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514661/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cubuj.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514656/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514656; rev:1;) alert tcp $HOME_NET any -> [43.155.132.55] 18888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514658/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514658; rev:1;) alert tcp $HOME_NET any -> [43.128.29.72] 18888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514657/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"api.cloudphoto.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514655/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"divoc.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eqwu"; depth:5; nocase; http.host; content:"cdisciplipna.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514653/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xelop.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coxyz.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"frendlymachened.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514651/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"storedriving.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514652/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514652; rev:1;) alert tcp $HOME_NET any -> [38.54.27.119] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514649; rev:1;) alert tcp $HOME_NET any -> [13.208.168.67] 20546 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514648; rev:1;) alert tcp $HOME_NET any -> [44.246.89.112] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514647/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514647; rev:1;) alert tcp $HOME_NET any -> [185.7.214.73] 80 (msg:"ThreatFox Lumma Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514646; rev:1;) alert tcp $HOME_NET any -> [179.13.10.232] 8081 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514645; rev:1;) alert tcp $HOME_NET any -> [47.92.193.102] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514644; rev:1;) alert tcp $HOME_NET any -> [124.71.168.117] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xelop.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514642/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"180.76.172.12"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514633/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"holyseypju.run"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514639/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"himselcaked.digital"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514640/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514640; rev:1;) alert tcp $HOME_NET any -> [31.56.36.88] 48568 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514638; rev:1;) alert tcp $HOME_NET any -> [31.56.36.73] 44644 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514637/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514637; rev:1;) alert tcp $HOME_NET any -> [185.147.124.212] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514635/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514635; rev:1;) alert tcp $HOME_NET any -> [88.214.50.3] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514636/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514636; rev:1;) alert tcp $HOME_NET any -> [154.61.80.193] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514634/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514634; rev:1;) alert tcp $HOME_NET any -> [87.98.236.198] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514632/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514632; rev:1;) alert tcp $HOME_NET any -> [66.103.211.253] 46108 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514631/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514631; rev:1;) alert tcp $HOME_NET any -> [3.96.152.27] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514550/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514550; rev:1;) alert tcp $HOME_NET any -> [193.178.172.80] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514549/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514549; rev:1;) alert tcp $HOME_NET any -> [173.225.103.138] 4047 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514548/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514548; rev:1;) alert tcp $HOME_NET any -> [154.17.228.120] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514547/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514547; rev:1;) alert tcp $HOME_NET any -> [104.207.132.109] 1443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514546/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514546; rev:1;) alert tcp $HOME_NET any -> [23.133.4.25] 27978 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514545/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"browngreencolors.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514520/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514520; rev:1;) alert tcp $HOME_NET any -> [196.251.118.129] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514519/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514519; rev:1;) alert tcp $HOME_NET any -> [209.145.56.66] 27113 (msg:"ThreatFox Crimson RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514518/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514518; rev:1;) alert tcp $HOME_NET any -> [51.17.8.61] 8000 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514517/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514517; rev:1;) alert tcp $HOME_NET any -> [54.197.10.95] 44818 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514513/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514513; rev:1;) alert tcp $HOME_NET any -> [13.201.117.158] 18245 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514514/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514514; rev:1;) alert tcp $HOME_NET any -> [13.201.117.158] 46445 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514515/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514515; rev:1;) alert tcp $HOME_NET any -> [3.26.17.43] 2874 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514516/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514516; rev:1;) alert tcp $HOME_NET any -> [195.82.147.63] 8090 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514512/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"securealisveris.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514511/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514511; rev:1;) alert tcp $HOME_NET any -> [158.247.215.42] 53 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514510/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514510; rev:1;) alert tcp $HOME_NET any -> [47.115.50.127] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514509/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbak"; depth:5; nocase; http.host; content:"vbtcgeared.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514508/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/laopx"; depth:6; nocase; http.host; content:"m0viriatoe.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514507/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwes"; depth:5; nocase; http.host; content:"j3techchaiun.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514506/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bafy"; depth:5; nocase; http.host; content:"4datawavej.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514505/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"cn45664.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514504/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514504; rev:1;) alert tcp $HOME_NET any -> [103.207.68.55] 80 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514503/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sqldbwindowsgenerator.php"; depth:26; nocase; http.host; content:"31.58.85.158"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514501/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514501; rev:1;) alert tcp $HOME_NET any -> [137.220.205.195] 5050 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514500/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514500; rev:1;) alert tcp $HOME_NET any -> [47.83.194.149] 27965 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514499/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/883af937.php"; depth:13; nocase; http.host; content:"a1120835.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514498/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2c0f19f.php"; depth:13; nocase; http.host; content:"a1121405.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514497/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514497; rev:1;) alert tcp $HOME_NET any -> [43.250.174.151] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514496/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nokia/five/fre.php"; depth:19; nocase; http.host; content:"essate.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514495/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514495; rev:1;) alert tcp $HOME_NET any -> [129.226.170.223] 95 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514494/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514494; rev:1;) alert tcp $HOME_NET any -> [154.82.93.8] 442 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514493/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514493; rev:1;) alert tcp $HOME_NET any -> [196.251.69.203] 5211 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514492/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514492; rev:1;) alert tcp $HOME_NET any -> [87.120.107.3] 35361 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514491/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514491; rev:1;) alert tcp $HOME_NET any -> [164.152.167.246] 3009 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514490/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514490; rev:1;) alert tcp $HOME_NET any -> [103.20.102.21] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514489/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514489; rev:1;) alert tcp $HOME_NET any -> [3.124.67.191] 13249 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514488/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a1120606.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514487/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linecpuprocess.php"; depth:19; nocase; http.host; content:"38.180.109.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514486/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"176.117.78.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514485/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pollwordpressdatalifewpdownloads.php"; depth:37; nocase; http.host; content:"497571cm.nyashk.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514484/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"wclimatologfy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514483/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/emnd"; depth:5; nocase; http.host; content:"lemuruy.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514482/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuwxx"; depth:6; nocase; http.host; content:"8tropiscbs.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514481/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pepjm.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514480/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514480; rev:1;) alert tcp $HOME_NET any -> [37.120.141.139] 1605 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514479/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514479; rev:1;) alert tcp $HOME_NET any -> [111.92.242.137] 2137 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514478/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514478; rev:1;) alert tcp $HOME_NET any -> [202.79.172.16] 10443 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514477/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1d06654a.php"; depth:13; nocase; http.host; content:"bymonaco.mywebcommunity.org"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514476/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514476; rev:1;) alert tcp $HOME_NET any -> [78.164.223.72] 2026 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514475/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514475; rev:1;) alert tcp $HOME_NET any -> [5.206.227.239] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514474/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/76kaq89b"; depth:9; nocase; http.host; content:"62.234.11.61"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514473/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514473; rev:1;) alert tcp $HOME_NET any -> [23.133.4.2] 4433 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514472/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514472; rev:1;) alert tcp $HOME_NET any -> [45.192.217.104] 4433 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514471/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514471; rev:1;) alert tcp $HOME_NET any -> [111.170.150.18] 8888 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514470/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514470; rev:1;) alert tcp $HOME_NET any -> [38.91.114.214] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514469/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"79.124.78.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514468/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514468; rev:1;) alert tcp $HOME_NET any -> [185.222.57.72] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514467/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/videotempsecuredefault/eternal/centraltempapivm/externalsecureprotectasynccdn.php"; depth:82; nocase; http.host; content:"81.94.155.48"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514466/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514466; rev:1;) alert tcp $HOME_NET any -> [196.119.210.163] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514465/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514465; rev:1;) alert tcp $HOME_NET any -> [185.222.57.88] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514464/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514464; rev:1;) alert tcp $HOME_NET any -> [192.252.183.39] 4433 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514463/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514463; rev:1;) alert tcp $HOME_NET any -> [83.168.95.95] 4844 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514462/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514462; rev:1;) alert tcp $HOME_NET any -> [27.124.6.233] 4433 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514461/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/51b29321.php"; depth:13; nocase; http.host; content:"ct86324.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514460/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514460; rev:1;) alert tcp $HOME_NET any -> [41.111.99.164] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514459/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e36aeb7b.php"; depth:13; nocase; http.host; content:"vanyapc202.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514458/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514458; rev:1;) alert tcp $HOME_NET any -> [105.103.255.169] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514457/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/http/imagesql/tohttpupdatetraffic.php"; depth:38; nocase; http.host; content:"80.66.81.173"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514456/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514456; rev:1;) alert tcp $HOME_NET any -> [103.101.178.91] 27984 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514455/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ixau"; depth:5; nocase; http.host; content:"lcartograhphy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514453/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514453; rev:1;) alert tcp $HOME_NET any -> [154.82.92.185] 442 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514454/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuwxx"; depth:6; nocase; http.host; content:"itropiscbs.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514452/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"i23woodpeckersd.run"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514451/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalrequestsecurepacketasynctrack.php"; depth:41; nocase; http.host; content:"790734cm.nyashware.ru"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514450/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/532e0d0a.php"; depth:13; nocase; http.host; content:"a1116839.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514449/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/videolinetoflowerdatalife.php"; depth:30; nocase; http.host; content:"82.146.37.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514448/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514448; rev:1;) alert tcp $HOME_NET any -> [88.243.7.236] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514447/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~dennytre/five/fre.php"; depth:23; nocase; http.host; content:"31.220.2.200"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514446/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514446; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 1515 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514445/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"185.220.221.78"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514444/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514444; rev:1;) alert tcp $HOME_NET any -> [147.185.221.26] 4207 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514443/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providersqllinux.php"; depth:21; nocase; http.host; content:"484520cm.nyashk.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514442/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514442; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 1590 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514441/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514441; rev:1;) alert tcp $HOME_NET any -> [110.42.2.16] 8896 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514440/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a1115545.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514439/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514439; rev:1;) alert tcp $HOME_NET any -> [207.244.76.146] 29739 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514438/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514438; rev:1;) alert tcp $HOME_NET any -> [196.251.80.10] 7002 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514437/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514437; rev:1;) alert tcp $HOME_NET any -> [23.248.217.151] 4433 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514436/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514436; rev:1;) alert tcp $HOME_NET any -> [196.251.118.33] 5211 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514435/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514435; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 2036 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514434/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514434; rev:1;) alert tcp $HOME_NET any -> [147.185.221.26] 61767 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514433/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5688bb2e.php"; depth:13; nocase; http.host; content:"antyworm.atwebpages.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514432/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514432; rev:1;) alert tcp $HOME_NET any -> [116.204.184.226] 80 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514431/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"vquilltayle.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514430/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514430; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 8080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514429/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeda"; depth:5; nocase; http.host; content:"tzestmodp.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514428/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsooz"; depth:6; nocase; http.host; content:"9salaccgfa.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514427/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoxo"; depth:5; nocase; http.host; content:"6clarmodq.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514425/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geps"; depth:5; nocase; http.host; content:"71changeaie.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514426/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514426; rev:1;) alert tcp $HOME_NET any -> [185.222.57.86] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514424; rev:1;) alert tcp $HOME_NET any -> [118.107.43.178] 6688 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mebwg.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514422; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 48405 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514421; rev:1;) alert tcp $HOME_NET any -> [95.164.90.173] 39483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514420/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514420; rev:1;) alert tcp $HOME_NET any -> [45.207.207.167] 8001 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514419; rev:1;) alert tcp $HOME_NET any -> [176.107.181.14] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514418/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514418; rev:1;) alert tcp $HOME_NET any -> [103.68.194.28] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514417/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0a9cd021.php"; depth:13; nocase; http.host; content:"cj84416.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514416/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/testwptemptemporary.php"; depth:24; nocase; http.host; content:"kplugz1.fvds.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514415/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514415; rev:1;) alert tcp $HOME_NET any -> [196.251.72.64] 5633 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514414/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514414; rev:1;) alert tcp $HOME_NET any -> [121.126.157.119] 35770 (msg:"ThreatFox RMS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514413; rev:1;) alert tcp $HOME_NET any -> [166.88.61.235] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514412/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514412; rev:1;) alert tcp $HOME_NET any -> [192.238.128.242] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514411/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514411; rev:1;) alert tcp $HOME_NET any -> [188.126.90.3] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514410; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 15660 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514409; rev:1;) alert tcp $HOME_NET any -> [52.28.112.211] 15660 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514408/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514408; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 15660 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514407/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514407; rev:1;) alert tcp $HOME_NET any -> [196.119.199.129] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514406/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514406; rev:1;) alert tcp $HOME_NET any -> [104.168.7.12] 5854 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514405/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-ready"; depth:9; nocase; http.host; content:"lee44.kozow.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514404/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default52/trackimagedlepipe/publiclinux0js/providerlinetorequestbigloaddbflowertrafficdatalifetemporary.php"; depth:108; nocase; http.host; content:"82.146.38.131"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514403/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514403; rev:1;) alert tcp $HOME_NET any -> [80.71.232.29] 23066 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514402/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalvmupdatemultitraffictemporary.php"; depth:42; nocase; http.host; content:"196.251.69.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/localdatalife/6/30/2wordpress/requestpubliclinux/image5/5/8bigloadpoll/track/db9/poll/dumpgeo/providerpipegamebigloadgeneratortrackdownloads.php"; depth:145; nocase; http.host; content:"77.238.251.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloadsgeneratorpublic/externalcpu68/83/7/bigload/publicphp/1server/traffic/processorlinux/cdndb/wordpressuniversalwordpress/db/pythonprivate/6/publicdb/linepoll.php"; depth:168; nocase; http.host; content:"89.111.153.139"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514399; rev:1;) alert tcp $HOME_NET any -> [107.149.241.28] 1688 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514398; rev:1;) alert tcp $HOME_NET any -> [103.68.181.217] 1688 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514397; rev:1;) alert tcp $HOME_NET any -> [43.225.58.178] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514396; rev:1;) alert tcp $HOME_NET any -> [196.251.118.33] 5210 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonjavascriptlongpollservermultiasynctrafficdlepublic.php"; depth:61; nocase; http.host; content:"168859cm.nyashware.ru"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514394; rev:1;) alert tcp $HOME_NET any -> [185.241.149.215] 2017 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514393; rev:1;) alert tcp $HOME_NET any -> [191.96.166.73] 5000 (msg:"ThreatFox XenoRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514392; rev:1;) alert tcp $HOME_NET any -> [213.209.150.82] 9900 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514391; rev:1;) alert tcp $HOME_NET any -> [45.144.212.89] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514390; rev:1;) alert tcp $HOME_NET any -> [5.206.224.118] 8081 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514389/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmlongpoll.php"; depth:15; nocase; http.host; content:"696575cm.nyashware.ru"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514388/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514388; rev:1;) alert tcp $HOME_NET any -> [154.12.29.244] 443 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514387/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514387; rev:1;) alert tcp $HOME_NET any -> [194.156.79.254] 3465 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514386/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514386; rev:1;) alert tcp $HOME_NET any -> [45.204.201.143] 33891 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514385/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zifnk.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514310/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"139.180.217.142"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514355/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/videopython_bigload.php"; depth:24; nocase; http.host; content:"qwertyzzzx.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514384/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514384; rev:1;) alert tcp $HOME_NET any -> [196.251.73.232] 5210 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514383/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wpuploadstemporary.php"; depth:23; nocase; http.host; content:"766918cm.nyashware.ru"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514382/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514382; rev:1;) alert tcp $HOME_NET any -> [206.123.152.51] 3980 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c51d18f4.php"; depth:13; nocase; http.host; content:"cs20315.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514380; rev:1;) alert tcp $HOME_NET any -> [196.119.161.157] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514379/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gameuseractiveforunityenginegaming.php"; depth:39; nocase; http.host; content:"213.21.241.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514378/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514378; rev:1;) alert tcp $HOME_NET any -> [46.246.84.3] 44662 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514376/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514376; rev:1;) alert tcp $HOME_NET any -> [47.254.94.54] 8866 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514377/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a843c0b2.php"; depth:13; nocase; http.host; content:"f1089672.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514375/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linedefaultpublicdownloads.php"; depth:31; nocase; http.host; content:"430873cm.nyashware.ru"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514374/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514374; rev:1;) alert tcp $HOME_NET any -> [103.46.185.44] 80 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514373/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514373; rev:1;) alert tcp $HOME_NET any -> [162.252.173.251] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514372/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/processgameserverlinuxuploads.php"; depth:34; nocase; http.host; content:"devongentl.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a1111976.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514370/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514370; rev:1;) alert tcp $HOME_NET any -> [95.164.119.129] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514369/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514369; rev:1;) alert tcp $HOME_NET any -> [182.16.89.234] 443 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514367/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514367; rev:1;) alert tcp $HOME_NET any -> [3.64.4.198] 16347 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514368/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514368; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 16347 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514366/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.140.146.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514365/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514365; rev:1;) alert tcp $HOME_NET any -> [27.124.34.85] 1020 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514364/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514364; rev:1;) alert tcp $HOME_NET any -> [13.58.219.64] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514363/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514363; rev:1;) alert tcp $HOME_NET any -> [206.123.150.254] 9907 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514362/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514362; rev:1;) alert tcp $HOME_NET any -> [155.2.192.59] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514361/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514361; rev:1;) alert tcp $HOME_NET any -> [88.240.210.241] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514360/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514360; rev:1;) alert tcp $HOME_NET any -> [154.12.21.225] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514358/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514358; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 44817 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514359/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514359; rev:1;) alert tcp $HOME_NET any -> [196.251.115.230] 5211 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514356/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514356; rev:1;) alert tcp $HOME_NET any -> [202.61.86.216] 2015 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514357/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514357; rev:1;) alert tcp $HOME_NET any -> [192.238.129.9] 7777 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514354/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/5/fre.php"; depth:13; nocase; http.host; content:"jaikhodiyargroup.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514353/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalpythonsecurecpulongpolldownloads.php"; depth:44; nocase; http.host; content:"ord-ua.co"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514352/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514352; rev:1;) alert tcp $HOME_NET any -> [192.227.173.59] 2556 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514351/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514351; rev:1;) alert tcp $HOME_NET any -> [148.66.11.18] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514350/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514350; rev:1;) alert tcp $HOME_NET any -> [52.57.120.10] 15638 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514348/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514348; rev:1;) alert tcp $HOME_NET any -> [213.209.129.29] 27667 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514349/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514349; rev:1;) alert tcp $HOME_NET any -> [18.192.31.30] 15638 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514347/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514347; rev:1;) alert tcp $HOME_NET any -> [3.78.28.71] 15638 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514346/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514346; rev:1;) alert tcp $HOME_NET any -> [3.74.27.83] 15638 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514345/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5654a095.php"; depth:13; nocase; http.host; content:"a1111803.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514344/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514344; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 5557 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514343/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514343; rev:1;) alert tcp $HOME_NET any -> [94.156.227.193] 1351 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514342/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1a3e687a.php"; depth:13; nocase; http.host; content:"a1111558.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514341/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpjavascriptbigloadtrafficprivate.php"; depth:39; nocase; http.host; content:"62.109.27.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514340/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pollupdate.php"; depth:15; nocase; http.host; content:"bildea.ru"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514339/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gate.php"; depth:9; nocase; http.host; content:"149.202.109.202"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514338/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsss/5/fre.php"; depth:15; nocase; http.host; content:"jaikhodiyargroup.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514337/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7b3f2f0a.php"; depth:13; nocase; http.host; content:"khcwnwdhky.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514336/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514336; rev:1;) alert tcp $HOME_NET any -> [3.27.107.48] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514335/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providersecurelowtesttempdownloads.php"; depth:39; nocase; http.host; content:"pochinitb.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514334/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514334; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 8338 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514333/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514333; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 13753 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514332/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514332; rev:1;) alert tcp $HOME_NET any -> [213.152.162.5] 56870 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514331/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/76853e4b.php"; depth:13; nocase; http.host; content:"a1111689.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514330/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/packetasynctrafficprivate.php"; depth:30; nocase; http.host; content:"sasatysen2.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514329/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514329; rev:1;) alert tcp $HOME_NET any -> [79.110.49.33] 1616 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514328/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514328; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 25565 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514327/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514327; rev:1;) alert tcp $HOME_NET any -> [45.192.169.23] 80 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514326/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514326; rev:1;) alert tcp $HOME_NET any -> [45.9.249.158] 8080 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514325/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7d3efb6f.php"; depth:13; nocase; http.host; content:"pw461.castledev.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514324/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514324; rev:1;) alert tcp $HOME_NET any -> [46.246.14.66] 7045 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514323/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514323; rev:1;) alert tcp $HOME_NET any -> [206.238.220.103] 80 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514322/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514322; rev:1;) alert tcp $HOME_NET any -> [114.132.175.103] 12014 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514321/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2conf"; depth:7; nocase; http.host; content:"coolworks.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514320/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514320; rev:1;) alert tcp $HOME_NET any -> [191.101.51.29] 2556 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514319/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514319; rev:1;) alert tcp $HOME_NET any -> [45.137.22.119] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514318/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514318; rev:1;) alert tcp $HOME_NET any -> [202.61.87.22] 2015 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514317/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514317; rev:1;) alert tcp $HOME_NET any -> [157.20.182.16] 58008 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514316/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514316; rev:1;) alert tcp $HOME_NET any -> [202.95.14.159] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514315/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514315; rev:1;) alert tcp $HOME_NET any -> [47.97.113.36] 43434 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514314/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514314; rev:1;) alert tcp $HOME_NET any -> [144.172.93.80] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514313/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a715109a.php"; depth:13; nocase; http.host; content:"f1109533.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514312/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/publiccdn.php"; depth:14; nocase; http.host; content:"638454cm.nyashware.ru"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514311/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"beksr.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514302; rev:1;) alert tcp $HOME_NET any -> [47.109.140.6] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514309/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514309; rev:1;) alert tcp $HOME_NET any -> [206.238.114.38] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514308/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514308; rev:1;) alert tcp $HOME_NET any -> [45.205.30.124] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514307/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514307; rev:1;) alert tcp $HOME_NET any -> [47.92.198.182] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514306/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514306; rev:1;) alert tcp $HOME_NET any -> [45.204.213.99] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514305/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514305; rev:1;) alert tcp $HOME_NET any -> [49.232.65.225] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514304; rev:1;) alert tcp $HOME_NET any -> [47.108.158.237] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514303; rev:1;) alert tcp $HOME_NET any -> [176.65.142.222] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514301/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.gerhtr.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514266/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514266; rev:1;) alert tcp $HOME_NET any -> [195.82.147.63] 4444 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514268/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514268; rev:1;) alert tcp $HOME_NET any -> [20.107.168.172] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514269/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514269; rev:1;) alert tcp $HOME_NET any -> [158.179.209.175] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514270/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514270; rev:1;) alert tcp $HOME_NET any -> [185.208.159.245] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514265/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514265; rev:1;) alert tcp $HOME_NET any -> [195.82.147.63] 4443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514267/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514267; rev:1;) alert tcp $HOME_NET any -> [27.124.4.224] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514263; rev:1;) alert tcp $HOME_NET any -> [31.57.33.110] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514264/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514264; rev:1;) alert tcp $HOME_NET any -> [114.132.227.144] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514261/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rt.threat.city"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514262/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514262; rev:1;) alert tcp $HOME_NET any -> [47.113.217.92] 18899 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514260/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514260; rev:1;) alert tcp $HOME_NET any -> [185.154.12.138] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514258/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514258; rev:1;) alert tcp $HOME_NET any -> [106.54.52.7] 29901 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514259/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514259; rev:1;) alert tcp $HOME_NET any -> [154.12.87.224] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514257/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514257; rev:1;) alert tcp $HOME_NET any -> [206.206.76.49] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514271/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514271; rev:1;) alert tcp $HOME_NET any -> [92.176.76.51] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514272/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514272; rev:1;) alert tcp $HOME_NET any -> [103.127.135.159] 8088 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514273/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514273; rev:1;) alert tcp $HOME_NET any -> [103.127.135.159] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514274/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514274; rev:1;) alert tcp $HOME_NET any -> [103.142.147.196] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514275/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514275; rev:1;) alert tcp $HOME_NET any -> [139.224.30.125] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514276; rev:1;) alert tcp $HOME_NET any -> [103.142.147.194] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514277/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514277; rev:1;) alert tcp $HOME_NET any -> [15.237.138.189] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514279/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514279; rev:1;) alert tcp $HOME_NET any -> [103.142.147.195] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514278/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514278; rev:1;) alert tcp $HOME_NET any -> [18.209.8.102] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514280/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514280; rev:1;) alert tcp $HOME_NET any -> [44.210.2.240] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514281/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514281; rev:1;) alert tcp $HOME_NET any -> [109.206.245.135] 11211 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514282/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514282; rev:1;) alert tcp $HOME_NET any -> [13.60.161.199] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514283/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514283; rev:1;) alert tcp $HOME_NET any -> [157.180.40.89] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514284/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514284; rev:1;) alert tcp $HOME_NET any -> [13.250.41.111] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514285/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514285; rev:1;) alert tcp $HOME_NET any -> [167.71.197.54] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514286/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514286; rev:1;) alert tcp $HOME_NET any -> [181.32.40.54] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514287/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514287; rev:1;) alert tcp $HOME_NET any -> [45.82.15.2] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514288/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514288; rev:1;) alert tcp $HOME_NET any -> [102.217.125.101] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514289/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514289; rev:1;) alert tcp $HOME_NET any -> [193.46.217.55] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514290/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514290; rev:1;) alert tcp $HOME_NET any -> [46.101.89.208] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514291/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514291; rev:1;) alert tcp $HOME_NET any -> [157.245.68.105] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514292; rev:1;) alert tcp $HOME_NET any -> [34.254.226.231] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fodxj.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514297/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xeqnm.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514298/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"app.bytevista.cloud"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"app2.bytevista.cloud"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514300; rev:1;) alert tcp $HOME_NET any -> [121.9.235.74] 38002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514194/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514194; rev:1;) alert tcp $HOME_NET any -> [18.189.135.166] 8083 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514195/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514195; rev:1;) alert tcp $HOME_NET any -> [20.42.105.243] 8083 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514196/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514196; rev:1;) alert tcp $HOME_NET any -> [117.48.148.58] 6951 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514197/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514197; rev:1;) alert tcp $HOME_NET any -> [103.82.143.13] 56891 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514215/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514215; rev:1;) alert tcp $HOME_NET any -> [216.126.229.166] 1224 (msg:"ThreatFox BeaverTail botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514216/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"alpaca-flnance.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514217/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514217; rev:1;) alert tcp $HOME_NET any -> [166.88.197.51] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514250/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"app.alpacaflnance.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514218/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ratatui.today"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514219/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"napgh.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514251/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tighn.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514163; rev:1;) alert tcp $HOME_NET any -> [80.64.18.180] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/98713521/tangem-setup-x64.exe"; depth:30; nocase; http.host; content:"salmesados.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/98713521/trustwallet-desktop-x64.exe"; depth:37; nocase; http.host; content:"salmesados.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/98713521/nordpass-desktop-setup.exe"; depth:36; nocase; http.host; content:"salmesados.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"categorywishlist.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:bad-unknown; sid:91514148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z1z.pages.dev"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"mozillasync.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:bad-unknown; sid:91514147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"necscar.pro"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"assetssafepay.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:bad-unknown; sid:91514146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wykvn.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ho8.pages.de"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514143; rev:1;) alert tcp $HOME_NET any -> [45.155.249.241] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514296; rev:1;) alert tcp $HOME_NET any -> [51.17.8.61] 52200 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514294; rev:1;) alert tcp $HOME_NET any -> [51.17.8.61] 60000 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514295; rev:1;) alert tcp $HOME_NET any -> [85.121.148.151] 65053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514255/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514255; rev:1;) alert tcp $HOME_NET any -> [81.71.248.53] 5001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514254/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514254; rev:1;) alert tcp $HOME_NET any -> [122.152.244.171] 5001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514253/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"accesserdsc.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514252/; target:src_ip; metadata: confidence_level 75, first_seen 2025_05_01; classtype:trojan-activity; sid:91514252; rev:1;) alert tcp $HOME_NET any -> [137.184.89.150] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514249/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514249; rev:1;) alert tcp $HOME_NET any -> [54.151.11.72] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514248/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514248; rev:1;) alert tcp $HOME_NET any -> [79.241.104.98] 81 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514245/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514245; rev:1;) alert tcp $HOME_NET any -> [3.112.172.253] 5986 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514246/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514246; rev:1;) alert tcp $HOME_NET any -> [3.112.172.253] 44286 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514247/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514247; rev:1;) alert tcp $HOME_NET any -> [87.121.103.228] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514244/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pumacapitalinvestments.uksouth.cloudapp.azure.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514243/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514243; rev:1;) alert tcp $HOME_NET any -> [189.155.247.138] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514242/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514242; rev:1;) alert tcp $HOME_NET any -> [27.124.4.217] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514241/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514241; rev:1;) alert tcp $HOME_NET any -> [83.217.209.65] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514239/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514239; rev:1;) alert tcp $HOME_NET any -> [27.124.4.223] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514240/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514240; rev:1;) alert tcp $HOME_NET any -> [102.117.170.16] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514238/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514238; rev:1;) alert tcp $HOME_NET any -> [204.12.245.163] 85 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514236/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514236; rev:1;) alert tcp $HOME_NET any -> [82.223.48.201] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514237/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514237; rev:1;) alert tcp $HOME_NET any -> [193.24.197.34] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514235/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514235; rev:1;) alert tcp $HOME_NET any -> [196.251.71.251] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514234/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514234; rev:1;) alert tcp $HOME_NET any -> [156.225.26.215] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514233; rev:1;) alert tcp $HOME_NET any -> [120.24.162.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514232/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514232; rev:1;) alert tcp $HOME_NET any -> [119.91.40.94] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514231/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514231; rev:1;) alert tcp $HOME_NET any -> [43.155.132.55] 18324 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514230/; target:src_ip; metadata: confidence_level 100, first_seen 2025_05_01; classtype:trojan-activity; sid:91514230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/werrp"; depth:6; nocase; http.host; content:"zcivitasu.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514229/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"wzenithcorde.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514228/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/akds"; depth:5; nocase; http.host; content:"triremeo.digital"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514227/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/laopx"; depth:6; nocase; http.host; content:"sviriatoe.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514226/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowp"; depth:5; nocase; http.host; content:"gbrandihx.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514225/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bafy"; depth:5; nocase; http.host; content:"edatawavej.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514224/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tapsz"; depth:6; nocase; http.host; content:"6autogearw.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514223/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apdo"; depth:5; nocase; http.host; content:"htechguidet.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514222/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"dzenithcorde.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514221/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xawi"; depth:5; nocase; http.host; content:"elonfgshadow.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514220/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowp"; depth:5; nocase; http.host; content:"tpbrandihx.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514214/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vpep"; depth:5; nocase; http.host; content:"jscriptao.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514213/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eqwu"; depth:5; nocase; http.host; content:"disciplipna.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514212/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/werrp"; depth:6; nocase; http.host; content:"5civitasu.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514211/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riid"; depth:5; nocase; http.host; content:"utechsyncq.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514210/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xzea"; depth:5; nocase; http.host; content:"ncorexlaib.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514209/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/laopx"; depth:6; nocase; http.host; content:"viriatoe.live"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514208/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vpep"; depth:5; nocase; http.host; content:"scriptao.digital"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514207/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vepr"; depth:5; nocase; http.host; content:"praetori.live"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514206/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keaj"; depth:5; nocase; http.host; content:"opusculy.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514204/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsia"; depth:5; nocase; http.host; content:"ovecturar.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514205/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xane"; depth:5; nocase; http.host; content:"exitiumt.digital"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514203/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/werrp"; depth:6; nocase; http.host; content:"civitasu.run"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514202/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keaj"; depth:5; nocase; http.host; content:"5opusculy.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514201/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/laopx"; depth:6; nocase; http.host; content:"3g-sviriatoe.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514200/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eqwu"; depth:5; nocase; http.host; content:"3disciplipna.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514199/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vepr"; depth:5; nocase; http.host; content:"1i45praetori.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514198/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514198; rev:1;) alert tcp $HOME_NET any -> [18.140.63.132] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514193/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ns2.dmakk.cn"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514192/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ns1.dmakk.cn"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514191/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514191; rev:1;) alert tcp $HOME_NET any -> [94.228.113.197] 4701 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514190/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514190; rev:1;) alert tcp $HOME_NET any -> [78.168.1.119] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514189/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514189; rev:1;) alert tcp $HOME_NET any -> [77.244.220.81] 6443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514188/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514188; rev:1;) alert tcp $HOME_NET any -> [75.2.99.37] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514187/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514187; rev:1;) alert tcp $HOME_NET any -> [70.31.125.144] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514186/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514186; rev:1;) alert tcp $HOME_NET any -> [65.153.151.61] 8800 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514185/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514185; rev:1;) alert tcp $HOME_NET any -> [52.56.163.20] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514184/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514184; rev:1;) alert tcp $HOME_NET any -> [52.223.43.230] 7443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514183/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514183; rev:1;) alert tcp $HOME_NET any -> [47.129.6.50] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514182/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514182; rev:1;) alert tcp $HOME_NET any -> [46.246.210.158] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514181/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514181; rev:1;) alert tcp $HOME_NET any -> [39.40.136.162] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514180/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514180; rev:1;) alert tcp $HOME_NET any -> [35.152.200.44] 443 (msg:"ThreatFox Eye Pyramid botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514179/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514179; rev:1;) alert tcp $HOME_NET any -> [3.96.152.27] 2535 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514178/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514178; rev:1;) alert tcp $HOME_NET any -> [3.75.6.25] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514177/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514177; rev:1;) alert tcp $HOME_NET any -> [3.232.226.225] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514176/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514176; rev:1;) alert tcp $HOME_NET any -> [3.115.250.72] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514175/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514175; rev:1;) alert tcp $HOME_NET any -> [208.123.119.210] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514174/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514174; rev:1;) alert tcp $HOME_NET any -> [196.251.85.124] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514173/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514173; rev:1;) alert tcp $HOME_NET any -> [176.65.134.34] 7070 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514172/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514172; rev:1;) alert tcp $HOME_NET any -> [172.245.208.17] 14646 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514171/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514171; rev:1;) alert tcp $HOME_NET any -> [172.111.244.142] 35889 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514170/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514170; rev:1;) alert tcp $HOME_NET any -> [147.189.128.43] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514169/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514169; rev:1;) alert tcp $HOME_NET any -> [144.172.94.163] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514168/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514168; rev:1;) alert tcp $HOME_NET any -> [116.26.11.126] 36099 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514167/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514167; rev:1;) alert tcp $HOME_NET any -> [107.175.44.106] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514166/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514166; rev:1;) alert tcp $HOME_NET any -> [107.143.144.156] 8080 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514165/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91514165; rev:1;) alert tcp $HOME_NET any -> [194.113.245.11] 8474 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514162; rev:1;) alert tcp $HOME_NET any -> [45.86.86.49] 9000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514161; rev:1;) alert tcp $HOME_NET any -> [172.166.104.19] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514160; rev:1;) alert tcp $HOME_NET any -> [170.205.37.29] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514159; rev:1;) alert tcp $HOME_NET any -> [49.232.143.137] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514158; rev:1;) alert tcp $HOME_NET any -> [47.116.116.87] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514157; rev:1;) alert tcp $HOME_NET any -> [110.41.60.33] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"u1.barbellblurry.today"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514149; rev:1;) alert tcp $HOME_NET any -> [37.27.117.170] 8888 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"viriatoe.live"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"exitiumt.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"opusculy.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"civitasu.run"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lysez.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"praetori.live"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/som9unr/login.php"; depth:18; nocase; http.host; content:"185.39.17.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scriptao.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"disciplipna.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zimwl.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514140; rev:1;) alert tcp $HOME_NET any -> [185.39.17.122] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514136/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514136; rev:1;) alert tcp $HOME_NET any -> [13.127.100.43] 20548 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514134; rev:1;) alert tcp $HOME_NET any -> [195.82.147.63] 591 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514133; rev:1;) alert tcp $HOME_NET any -> [146.70.137.90] 3000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514131; rev:1;) alert tcp $HOME_NET any -> [98.217.73.238] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514132; rev:1;) alert tcp $HOME_NET any -> [208.123.119.210] 12721 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514130; rev:1;) alert tcp $HOME_NET any -> [8.138.189.93] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91514129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sign/in"; depth:8; nocase; http.host; content:"leannon.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513934/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"leannon.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yourcialsupply.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/min.js"; depth:11; nocase; http.host; content:"yourcialsupply.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/select.js"; depth:14; nocase; http.host; content:"yourcialsupply.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513938/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/lll.php"; depth:12; nocase; http.host; content:"yourcialsupply.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiscos.zip"; depth:11; nocase; http.host; content:"uncustomary.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513940/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"darjkafsg.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514122/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"medimado.run"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514123/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"life223.center"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514119/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aloud745.asia"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514120/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dashboard.peripl.app"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514121/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"opportunity-commitment.gl.at.ply.gg"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514117/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"shopping-noted.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514118/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"3214r214r12412-50274.portmap.io"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514116/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514116; rev:1;) alert tcp $HOME_NET any -> [216.9.225.168] 14305 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514114/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514114; rev:1;) alert tcp $HOME_NET any -> [216.9.225.168] 14306 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1514115/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mxsunami.gotdns.ch"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514113/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"1puohi7iyi.loclx.io"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514112/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mywebh.kro.kr"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514111/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.zqp5.cyou"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514110/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rostaten.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514100/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rpxpdgpjn.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514101/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.t69oo.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514102/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ucky.business"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514103/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ulegame.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514104/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.unezstock.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514105/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.uperpaws.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514106/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.vhxvj.cfd"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514107/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.xbrp6.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514108/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ysteryclick84.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514109/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.nbox.box"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514089/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.niteview.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514090/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.nline4u.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514091/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.okf.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514092/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.om-dszi.vip"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514093/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ordfilm-fans.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514094/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.otosnap.pics"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514095/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.oundationsystems.xyz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514096/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.owaniowa.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514097/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.pl7bn.cfd"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514098/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rabsmp.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514099/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ickisaprick.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514079/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.iep.cloud"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514080/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ilosportsy.shop"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514081/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.iwmn.cyou"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514082/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.jjhldejorbvw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514083/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.k008.casino"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514084/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.lgox.bot"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514085/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.limpsepublishing.online"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514086/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.lotpersen789.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514087/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.luegreencloud.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514088/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.fqozq.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514070/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.gleyucx.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514071/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.gsp631.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514072/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.gsp644.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514073/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.hatsuptocachee.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514074/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.heautocademy.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514075/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.heitcommunity.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514076/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.hljbh.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514077/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.hmfdjxvnbsn.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514078/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.adekclimatecontrol.online"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514059/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.arthes.app"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514060/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.atasha.group"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514061/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.attaa-king-fast.online"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514062/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.bbrwv.sbs"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514063/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.bere6.sbs"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514064/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ccng90.cyou"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514065/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ealthywatches.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514066/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.eartlandflagssy.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514067/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.empobetteklif.vip"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514068/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.erasync.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514069/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.4260524.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514049/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.4270864.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514050/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.4271030.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514051/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.5z6hmy3.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514052/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.612tw.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514053/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.74bet.app"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514054/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.7579.loan"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514055/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.7jhm.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514056/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.97p7sa2.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514057/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.9phm.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514058/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.329-homeremodel.sbs"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514047/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.4260389.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1514048/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.xbrp6.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514044/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.ysteryclick84.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514045/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.zqp5.cyou"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514046/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.rostaten.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514035/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.rpxpdgpjn.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514036/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.t69oo.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514037/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.ucky.business"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514038/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.ulegame.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514039/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.unezstock.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514040/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.uperpaws.online"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514041/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.vhxvj.cfd"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514042/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.wandafilmfestival.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514043/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.nline4u.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514026/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.okf.net"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514027/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.om-dszi.vip"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514028/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.ordfilm-fans.online"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514029/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.otosnap.pics"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514030/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.oundationsystems.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514031/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.owaniowa.info"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514032/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.pl7bn.cfd"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514033/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.rabsmp.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514034/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.iwmn.cyou"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514017/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.jjhldejorbvw.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514018/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.k008.casino"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514019/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.lgox.bot"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514020/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.limpsepublishing.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514021/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.lotpersen789.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514022/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.luegreencloud.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514023/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.nbox.box"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514024/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.niteview.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514025/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.gsp644.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514008/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.hatsuptocachee.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514009/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.heautocademy.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514010/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.heitcommunity.info"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514011/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.hljbh.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514012/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.hmfdjxvnbsn.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514013/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.ickisaprick.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514014/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.iep.cloud"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514015/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.ilosportsy.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514016/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.bere6.sbs"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513999/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.ccng90.cyou"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514000/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.ealthywatches.online"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514001/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.eartlandflagssy.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514002/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.empobetteklif.vip"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514003/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.erasync.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514004/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.fqozq.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514005/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.gleyucx.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514006/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.gsp631.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1514007/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91514007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.7579.loan"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513990/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.7jhm.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513991/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.97p7sa2.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513992/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.9phm.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513993/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.adekclimatecontrol.online"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513994/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.arthes.app"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513995/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.atasha.group"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513996/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.attaa-king-fast.online"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513997/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.bbrwv.sbs"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513998/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.329-homeremodel.sbs"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513982/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.4260389.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513983/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.4260524.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513984/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.4270864.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513985/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.4271030.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513986/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.5z6hmy3.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513987/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.612tw.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513988/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk20/"; depth:6; nocase; http.host; content:"www.74bet.app"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513989/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ernjklnbwerkj-42355.portmap.io"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513981/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"businesses-exposure.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513979/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"engineering-groups.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513980/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/s14cuu5g"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513978/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/som9unr/index.php"; depth:18; nocase; http.host; content:"185.39.17.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513977/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"tsoi-zhiv.com"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1513976/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"144.91.124.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513975/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"207.244.199.46"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513974/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"111.119.255.45"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513973/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"45.192.164.239"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513972/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513972; rev:1;) alert tcp $HOME_NET any -> [62.106.66.116] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513971/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513971; rev:1;) alert tcp $HOME_NET any -> [18.132.192.123] 7218 (msg:"ThreatFox BlackShades botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513970/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513970; rev:1;) alert tcp $HOME_NET any -> [69.24.199.27] 1800 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513969/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513969; rev:1;) alert tcp $HOME_NET any -> [45.207.58.182] 8009 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513968/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513968; rev:1;) alert tcp $HOME_NET any -> [95.131.202.38] 8089 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513967/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513967; rev:1;) alert tcp $HOME_NET any -> [16.171.171.2] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513965/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513965; rev:1;) alert tcp $HOME_NET any -> [4.237.56.192] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513966/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513966; rev:1;) alert tcp $HOME_NET any -> [34.16.115.86] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513964/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513964; rev:1;) alert tcp $HOME_NET any -> [13.200.255.42] 175 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513962/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513962; rev:1;) alert tcp $HOME_NET any -> [136.144.164.95] 35002 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513963/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513963; rev:1;) alert tcp $HOME_NET any -> [51.44.180.18] 17 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513961/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513961; rev:1;) alert tcp $HOME_NET any -> [92.118.151.157] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513959/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513959; rev:1;) alert tcp $HOME_NET any -> [92.255.57.32] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513960/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513960; rev:1;) alert tcp $HOME_NET any -> [77.239.99.150] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513957/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513957; rev:1;) alert tcp $HOME_NET any -> [193.176.23.5] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513958/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513958; rev:1;) alert tcp $HOME_NET any -> [118.122.8.154] 811 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513954/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513954; rev:1;) alert tcp $HOME_NET any -> [118.122.8.157] 811 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513955/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513955; rev:1;) alert tcp $HOME_NET any -> [118.122.8.155] 811 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513956/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513956; rev:1;) alert tcp $HOME_NET any -> [3.147.28.47] 8545 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513951/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513951; rev:1;) alert tcp $HOME_NET any -> [118.122.8.155] 12130 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513952/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513952; rev:1;) alert tcp $HOME_NET any -> [118.122.8.156] 811 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513953/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513953; rev:1;) alert tcp $HOME_NET any -> [193.168.144.149] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513949/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513949; rev:1;) alert tcp $HOME_NET any -> [47.236.136.247] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513950/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513950; rev:1;) alert tcp $HOME_NET any -> [139.162.13.178] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513946/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513946; rev:1;) alert tcp $HOME_NET any -> [192.99.38.139] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513947/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513947; rev:1;) alert tcp $HOME_NET any -> [185.17.3.70] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513948/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513948; rev:1;) alert tcp $HOME_NET any -> [34.102.113.135] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513944/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513944; rev:1;) alert tcp $HOME_NET any -> [15.235.37.196] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513945/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513945; rev:1;) alert tcp $HOME_NET any -> [45.55.107.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513943/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513943; rev:1;) alert tcp $HOME_NET any -> [111.230.18.219] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513942/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513942; rev:1;) alert tcp $HOME_NET any -> [47.237.1.28] 8083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513941/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_30; classtype:trojan-activity; sid:91513941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"guket.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"doriot.info"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"doriot.info"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513929; rev:1;) alert tcp $HOME_NET any -> [209.141.50.64] 12121 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513931/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"neon.galaxias.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513932/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513932; rev:1;) alert tcp $HOME_NET any -> [176.65.134.30] 7070 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513930/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"portal.bottomlinepracticesolutions.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513923/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bebir.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"novow.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profilelayout"; depth:14; nocase; http.host; content:"portal.bottomlinepracticesolutions.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513925; rev:1;) alert tcp $HOME_NET any -> [166.88.164.186] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h1.riverbankrejoicing.top"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513927; rev:1;) alert tcp $HOME_NET any -> [42.194.172.155] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513922/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"666.20240829.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513921/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513921; rev:1;) alert tcp $HOME_NET any -> [43.255.158.248] 11453 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513918; rev:1;) alert tcp $HOME_NET any -> [62.60.226.173] 19000 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513919; rev:1;) alert tcp $HOME_NET any -> [41.216.189.234] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513917; rev:1;) alert tcp $HOME_NET any -> [109.176.202.86] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513916; rev:1;) alert tcp $HOME_NET any -> [188.27.76.253] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513915/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quizzical-golick.94-156-177-241.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513914/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513914; rev:1;) alert tcp $HOME_NET any -> [178.128.171.5] 28409 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513913/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513913; rev:1;) alert tcp $HOME_NET any -> [49.232.143.137] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513911/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513911; rev:1;) alert tcp $HOME_NET any -> [180.76.244.133] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513912/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513912; rev:1;) alert tcp $HOME_NET any -> [121.5.157.134] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513910/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513910; rev:1;) alert tcp $HOME_NET any -> [39.101.171.116] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513909/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytus"; depth:5; nocase; http.host; content:"wpiratetwrath.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513908/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zivad.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513907/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"u1.spiritismprotozoan.bet"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513906/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sign/in"; depth:8; nocase; http.host; content:"cleaner-consideration-thoroughly-personally.trycloudflare.com"; depth:61; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513904/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vytoz.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513898/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cleaner-consideration-thoroughly-personally.trycloudflare.com"; depth:61; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513905/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513905; rev:1;) alert tcp $HOME_NET any -> [98.177.107.151] 60448 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513903/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513903; rev:1;) alert tcp $HOME_NET any -> [70.31.125.193] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513902/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513902; rev:1;) alert tcp $HOME_NET any -> [4.240.2.164] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513901/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsia"; depth:5; nocase; http.host; content:"wvecturar.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513900/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bent"; depth:5; nocase; http.host; content:"vdatamanipy.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513899/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513899; rev:1;) alert tcp $HOME_NET any -> [94.26.90.81] 7771 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513897/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbak"; depth:5; nocase; http.host; content:"cbtcgeared.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513896/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513896; rev:1;) alert tcp $HOME_NET any -> [198.135.49.120] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513895/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513895; rev:1;) alert tcp $HOME_NET any -> [196.251.84.214] 8001 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513894/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513894; rev:1;) alert tcp $HOME_NET any -> [185.244.30.102] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513893/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513893; rev:1;) alert tcp $HOME_NET any -> [185.101.38.39] 2405 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513892/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513892; rev:1;) alert tcp $HOME_NET any -> [184.97.3.210] 8080 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513891/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riid"; depth:5; nocase; http.host; content:"ktechsyncq.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513890/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bafy"; depth:5; nocase; http.host; content:"kdatawavej.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513889/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowp"; depth:5; nocase; http.host; content:"brandihx.run"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513888/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riid"; depth:5; nocase; http.host; content:"xtechsyncq.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513887/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/benj"; depth:5; nocase; http.host; content:"ybearjk.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513886/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsia"; depth:5; nocase; http.host; content:"qvecturar.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513885/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"mzenithcorde.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513884/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bafy"; depth:5; nocase; http.host; content:"ddatawavej.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513883/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oipz"; depth:5; nocase; http.host; content:"btechwaveg.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513882/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bent"; depth:5; nocase; http.host; content:"5datamanipy.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513881/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tuboos.pages.dev"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513878/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yuun.pages.dev"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513879/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jumstor.cloud"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513880/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513880; rev:1;) alert tcp $HOME_NET any -> [15.157.69.142] 40257 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513877/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513877; rev:1;) alert tcp $HOME_NET any -> [195.82.147.63] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513876/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513876; rev:1;) alert tcp $HOME_NET any -> [152.42.195.54] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513875/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513875; rev:1;) alert tcp $HOME_NET any -> [172.188.218.53] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513874/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513874; rev:1;) alert tcp $HOME_NET any -> [196.251.116.152] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513873/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513873; rev:1;) alert tcp $HOME_NET any -> [45.138.16.100] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513872/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513872; rev:1;) alert tcp $HOME_NET any -> [139.180.217.142] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513871/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513871; rev:1;) alert tcp $HOME_NET any -> [47.129.6.50] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513870/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513870; rev:1;) alert tcp $HOME_NET any -> [148.66.16.230] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513868/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513868; rev:1;) alert tcp $HOME_NET any -> [148.66.16.230] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513869/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513869; rev:1;) alert tcp $HOME_NET any -> [47.108.158.237] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513867/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513867; rev:1;) alert tcp $HOME_NET any -> [34.93.12.185] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513866/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"victoreqs.run"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513865/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brandihx.run"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513864/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"ustarofliught.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513863/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saud"; depth:5; nocase; http.host; content:"narwhaltr.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513862/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xapp"; depth:5; nocase; http.host; content:"ihemispherexz.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513861/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jezyq.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513857/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"xcelmodo.run"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513860/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytus"; depth:5; nocase; http.host; content:"8piratetwrath.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513859/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"stewframe.icu"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513858/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/avg/14840646743032cdbox.php"; depth:28; nocase; http.host; content:"185.101.93.54"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513856/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513856; rev:1;) alert tcp $HOME_NET any -> [62.60.234.10] 1488 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513851/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513851; rev:1;) alert tcp $HOME_NET any -> [124.223.32.16] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513812/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513812; rev:1;) alert tcp $HOME_NET any -> [148.66.16.226] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513813/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513813; rev:1;) alert tcp $HOME_NET any -> [148.66.16.226] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513814/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513814; rev:1;) alert tcp $HOME_NET any -> [51.20.93.22] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513815/; target:src_ip; metadata: confidence_level 90, first_seen 2025_04_30; classtype:trojan-activity; sid:91513815; rev:1;) alert tcp $HOME_NET any -> [128.90.113.26] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513816/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513816; rev:1;) alert tcp $HOME_NET any -> [128.90.113.26] 4000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513817/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513817; rev:1;) alert tcp $HOME_NET any -> [38.76.247.230] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513819/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513819; rev:1;) alert tcp $HOME_NET any -> [128.90.113.26] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513818/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513818; rev:1;) alert tcp $HOME_NET any -> [107.172.102.50] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513820/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513820; rev:1;) alert tcp $HOME_NET any -> [173.208.162.225] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513821/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513821; rev:1;) alert tcp $HOME_NET any -> [194.164.194.149] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513822/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513822; rev:1;) alert tcp $HOME_NET any -> [45.134.39.5] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513824/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513824; rev:1;) alert tcp $HOME_NET any -> [103.127.135.159] 8008 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513825/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513825; rev:1;) alert tcp $HOME_NET any -> [45.134.39.5] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513823/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513823; rev:1;) alert tcp $HOME_NET any -> [91.99.67.156] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513826/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513826; rev:1;) alert tcp $HOME_NET any -> [137.184.89.150] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513827/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513827; rev:1;) alert tcp $HOME_NET any -> [44.231.48.102] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513829/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513829; rev:1;) alert tcp $HOME_NET any -> [103.8.185.170] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513828/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513828; rev:1;) alert tcp $HOME_NET any -> [3.141.206.31] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513830/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513830; rev:1;) alert tcp $HOME_NET any -> [3.129.118.20] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513831/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513831; rev:1;) alert tcp $HOME_NET any -> [172.208.53.96] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513832/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513832; rev:1;) alert tcp $HOME_NET any -> [89.248.170.161] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513833/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513833; rev:1;) alert tcp $HOME_NET any -> [149.90.103.193] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513834/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513834; rev:1;) alert tcp $HOME_NET any -> [34.72.179.141] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513835/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513835; rev:1;) alert tcp $HOME_NET any -> [43.205.218.182] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513836/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513836; rev:1;) alert tcp $HOME_NET any -> [3.142.104.17] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513838/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513838; rev:1;) alert tcp $HOME_NET any -> [52.14.245.245] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513839/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513839; rev:1;) alert tcp $HOME_NET any -> [3.216.45.175] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513841/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513841; rev:1;) alert tcp $HOME_NET any -> [5.78.77.165] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513837/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513837; rev:1;) alert tcp $HOME_NET any -> [35.173.246.249] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513840/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"muvom.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513843/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lyqej.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513748/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wakor.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513761/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moriartybirds.click"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513762/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"niaolas.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513772/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sign/in"; depth:8; nocase; http.host; content:"leeling.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513775/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"leeling.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513776/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wlandersmountain.click"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513796/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"netscoute.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513777/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nwxf4tjx9nrn34/index.php"; depth:25; nocase; http.host; content:"canopyselected.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513850/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"tsoi-zhiv.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hywod.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513728/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h1.exceptionicon.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513725/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513725; rev:1;) alert tcp $HOME_NET any -> [175.107.38.81] 8100 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513727/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"greenhoet.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513719/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nodepathr.run"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513724/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"crrtwright.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513714/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"min-js-lib.pages.dev"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513718/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mentor.omgwowhq.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mypah.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513681; rev:1;) alert tcp $HOME_NET any -> [189.1.229.235] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513849/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513849; rev:1;) alert tcp $HOME_NET any -> [154.201.74.112] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513848/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513848; rev:1;) alert tcp $HOME_NET any -> [124.70.204.188] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513847/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513847; rev:1;) alert tcp $HOME_NET any -> [8.138.19.182] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513846/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513846; rev:1;) alert tcp $HOME_NET any -> [103.233.253.26] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513845/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513845; rev:1;) alert tcp $HOME_NET any -> [113.44.168.133] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513844/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nkdnopfdabcj.izipy.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513842/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apdo"; depth:5; nocase; http.host; content:"wtechguidet.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513811/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jhgf"; depth:5; nocase; http.host; content:"pblockhubr.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513810/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/benj"; depth:5; nocase; http.host; content:"ibearjk.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513809/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eand"; depth:5; nocase; http.host; content:"eaglekl.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513808/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"4zenithcorde.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513807/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsia"; depth:5; nocase; http.host; content:"vecturar.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513804/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwes"; depth:5; nocase; http.host; content:"techchaiun.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513803/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bent"; depth:5; nocase; http.host; content:"datamanipy.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513801/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bafy"; depth:5; nocase; http.host; content:"datawavej.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513802/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xzea"; depth:5; nocase; http.host; content:"corexlaib.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513800/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"cmwoodpeckersd.run"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513799/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"1geographys.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513798/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_30; classtype:trojan-activity; sid:91513798; rev:1;) alert tcp $HOME_NET any -> [147.124.219.157] 19000 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513795/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513795; rev:1;) alert tcp $HOME_NET any -> [209.141.55.248] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513794/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513794; rev:1;) alert tcp $HOME_NET any -> [146.70.24.193] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513792/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513792; rev:1;) alert tcp $HOME_NET any -> [23.227.199.118] 14443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513793/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513793; rev:1;) alert tcp $HOME_NET any -> [104.248.5.186] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513790/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513790; rev:1;) alert tcp $HOME_NET any -> [54.206.1.218] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513791/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513791; rev:1;) alert tcp $HOME_NET any -> [173.208.162.225] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513789/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513789; rev:1;) alert tcp $HOME_NET any -> [173.44.139.179] 7272 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513788/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513788; rev:1;) alert tcp $HOME_NET any -> [188.218.201.194] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513787/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513787; rev:1;) alert tcp $HOME_NET any -> [185.39.17.25] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513785/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513785; rev:1;) alert tcp $HOME_NET any -> [137.184.190.241] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513786/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513786; rev:1;) alert tcp $HOME_NET any -> [148.66.16.227] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513783/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513783; rev:1;) alert tcp $HOME_NET any -> [148.66.16.229] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513784/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513784; rev:1;) alert tcp $HOME_NET any -> [148.66.16.228] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513782/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513782; rev:1;) alert tcp $HOME_NET any -> [43.142.157.142] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513780/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513780; rev:1;) alert tcp $HOME_NET any -> [39.101.135.210] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513781/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513781; rev:1;) alert tcp $HOME_NET any -> [47.115.227.6] 4432 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513778/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513778; rev:1;) alert tcp $HOME_NET any -> [23.94.200.251] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513779/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_30; classtype:trojan-activity; sid:91513779; rev:1;) alert tcp $HOME_NET any -> [54.244.226.5] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513774/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"static.wps-cdn.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513773/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513773; rev:1;) alert tcp $HOME_NET any -> [84.9.20.90] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513771/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513771; rev:1;) alert tcp $HOME_NET any -> [2.88.106.188] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513770/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513770; rev:1;) alert tcp $HOME_NET any -> [169.1.137.167] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513769/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513769; rev:1;) alert tcp $HOME_NET any -> [154.81.182.79] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513767/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513767; rev:1;) alert tcp $HOME_NET any -> [154.81.182.79] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513768/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513768; rev:1;) alert tcp $HOME_NET any -> [154.81.182.79] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513766/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513766; rev:1;) alert tcp $HOME_NET any -> [116.26.10.55] 47031 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513765/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513765; rev:1;) alert tcp $HOME_NET any -> [104.37.174.16] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513764/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513764; rev:1;) alert tcp $HOME_NET any -> [103.233.8.46] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513763/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513763; rev:1;) alert tcp $HOME_NET any -> [23.227.199.118] 15443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513760/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513760; rev:1;) alert tcp $HOME_NET any -> [139.9.131.153] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513758/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513758; rev:1;) alert tcp $HOME_NET any -> [146.70.24.193] 10443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513759/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513759; rev:1;) alert tcp $HOME_NET any -> [154.61.80.193] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513757/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513757; rev:1;) alert tcp $HOME_NET any -> [196.251.116.152] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513756/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513756; rev:1;) alert tcp $HOME_NET any -> [31.163.204.210] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513755/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513755; rev:1;) alert tcp $HOME_NET any -> [43.255.159.28] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513754/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513754; rev:1;) alert tcp $HOME_NET any -> [35.207.206.218] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513753/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513753; rev:1;) alert tcp $HOME_NET any -> [8.138.189.93] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513751/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513751; rev:1;) alert tcp $HOME_NET any -> [154.201.74.112] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513752/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"1.70.132.157"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513726/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sofyf.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"taciq.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513722/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tsoi-zhiv.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513720/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zynof.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513717/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"66.44.4t.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513716/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"66.44.4t.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513715/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513715; rev:1;) alert tcp $HOME_NET any -> [8.217.196.192] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513713/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513713; rev:1;) alert tcp $HOME_NET any -> [207.211.151.79] 4444 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513712/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513712; rev:1;) alert tcp $HOME_NET any -> [47.121.120.18] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513711/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513711; rev:1;) alert tcp $HOME_NET any -> [107.172.102.50] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513710/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513710; rev:1;) alert tcp $HOME_NET any -> [107.174.133.204] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513709/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513709; rev:1;) alert tcp $HOME_NET any -> [196.251.116.152] 444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513707/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513707; rev:1;) alert tcp $HOME_NET any -> [198.23.227.175] 8017 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513708/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513708; rev:1;) alert tcp $HOME_NET any -> [84.200.205.74] 2004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513705/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513705; rev:1;) alert tcp $HOME_NET any -> [66.63.187.252] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513706/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513706; rev:1;) alert tcp $HOME_NET any -> [18.200.221.191] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513704/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513704; rev:1;) alert tcp $HOME_NET any -> [148.66.16.228] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513703/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513703; rev:1;) alert tcp $HOME_NET any -> [1.94.249.10] 666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513702/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"khhlman.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513679/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3j9m.js"; depth:8; nocase; http.host; content:"alapige.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"alapige.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"alapige.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513678/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dashnex.plexusmarket.fund"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513675; rev:1;) alert tcp $HOME_NET any -> [185.149.146.118] 33334 (msg:"ThreatFox Unidentified 121 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513674; rev:1;) alert tcp $HOME_NET any -> [185.7.214.3] 56001 (msg:"ThreatFox ResolverRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513671/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513671; rev:1;) alert tcp $HOME_NET any -> [185.7.214.4] 56001 (msg:"ThreatFox ResolverRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513672/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513672; rev:1;) alert tcp $HOME_NET any -> [185.42.12.141] 56001 (msg:"ThreatFox ResolverRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/"; depth:7; nocase; http.host; content:"45.61.151.60"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/"; depth:7; nocase; http.host; content:"hannibal.dev"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513670/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"runolfsdotoir.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/min.js"; depth:11; nocase; http.host; content:"amxdh1.icu"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513655/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"amxdh1.icu"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513656/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/select.js"; depth:14; nocase; http.host; content:"amxdh1.icu"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513657/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/lll.php"; depth:12; nocase; http.host; content:"amxdh1.icu"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513658/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/core.zip"; depth:20; nocase; http.host; content:"carodine.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"carodine.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513660/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.retiremepaul.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513661/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profilelayout"; depth:14; nocase; http.host; content:"www.retiremepaul.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513662/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"108zhao.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/min.js"; depth:11; nocase; http.host; content:"108zhao.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/index.php"; depth:14; nocase; http.host; content:"108zhao.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513665/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/lll.php"; depth:12; nocase; http.host; content:"108zhao.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/select.js"; depth:14; nocase; http.host; content:"108zhao.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513667/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"111.230.96.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513668/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"datawavej.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"datamanipy.run"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"corexlaib.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513652/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"techchaiun.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513651/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"47.97.42.177"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"1.15.62.170"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"srndp.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"organicflowers.site"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513643; rev:1;) alert tcp $HOME_NET any -> [18.212.130.9] 4000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513647/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marinescoatsnow.click"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513644; rev:1;) alert tcp $HOME_NET any -> [185.39.17.103] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513645; rev:1;) alert tcp $HOME_NET any -> [88.214.48.111] 483 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513631/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513631; rev:1;) alert tcp $HOME_NET any -> [23.227.199.118] 45677 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513642/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"attt.shop"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513641; rev:1;) alert tcp $HOME_NET any -> [102.117.169.90] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513640/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513640; rev:1;) alert tcp $HOME_NET any -> [94.156.177.241] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513638; rev:1;) alert tcp $HOME_NET any -> [82.223.48.201] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513639/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513639; rev:1;) alert tcp $HOME_NET any -> [103.233.8.46] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513637/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513637; rev:1;) alert tcp $HOME_NET any -> [185.26.236.38] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513636/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513636; rev:1;) alert tcp $HOME_NET any -> [148.66.16.227] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513634/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513634; rev:1;) alert tcp $HOME_NET any -> [148.66.16.229] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513635/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513635; rev:1;) alert tcp $HOME_NET any -> [43.242.201.14] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513633/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513633; rev:1;) alert tcp $HOME_NET any -> [82.29.71.56] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513632/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kghk"; depth:5; nocase; http.host; content:"techcastlev.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513630/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xzpd"; depth:5; nocase; http.host; content:"bardsyies.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513629/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wizu"; depth:5; nocase; http.host; content:"805longitudde.digital"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513628/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"swordandsr.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513600/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"botflowe.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513601/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"medievaltao.digital"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513602/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aquilaew.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513603/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"battloeaxes.digital"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513604/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"enchanyo.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513605/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wizardrry.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513607/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"romulusy.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513606/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fairytas.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513608/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"castuwalls.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513609/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mealair.digital"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513610/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"equitesq.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513612/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"questforhoq.digital"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513611/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"caligust.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513614/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"legenudso.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513599/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smartasxlgorithm.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513598/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gladiisr.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513595/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wiyzardin.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513596/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"obeliske.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513597/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"realtorpichardo.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513594/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gotoselfmade.pro"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513592/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ctpzd.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513593/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arrow_h_145.svg"; depth:16; nocase; http.host; content:"ms2.rybos.fun"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513584/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"parismeteells.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513581/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9hpsuytjam.bip"; depth:15; nocase; http.host; content:"u1.paralegalchemicals.run"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513582/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u1.paralegalchemicals.run"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513583/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kqwrv.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513564/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"easyboty.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513613/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eaglekl.digital"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513615/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iods"; depth:5; nocase; http.host; content:"6zootechq.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513627/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wood"; depth:5; nocase; http.host; content:"swordandsr.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513626/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oturu"; depth:6; nocase; http.host; content:"nodepathr.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513625/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tequ"; depth:5; nocase; http.host; content:"afishgh.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513624/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riid"; depth:5; nocase; http.host; content:"0techsyncq.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513623/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banb"; depth:5; nocase; http.host; content:"rvvigorbridgoe.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513622/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qopd"; depth:5; nocase; http.host; content:"rushelectc.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513621/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"bwoodpeckersd.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513620/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/benj"; depth:5; nocase; http.host; content:"xbearjk.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513619/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tapo"; depth:5; nocase; http.host; content:"m2chivalroq.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513618/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kewk"; depth:5; nocase; http.host; content:"ajwparakehjet.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513617/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tequ"; depth:5; nocase; http.host; content:"0fishgh.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513616/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513616; rev:1;) alert tcp $HOME_NET any -> [62.109.13.63] 7777 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513591/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513591; rev:1;) alert tcp $HOME_NET any -> [54.38.94.225] 8882 (msg:"ThreatFox Eye Pyramid botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513590/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513590; rev:1;) alert tcp $HOME_NET any -> [196.251.73.133] 4752 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513589/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513589; rev:1;) alert tcp $HOME_NET any -> [173.225.103.138] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513588/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513588; rev:1;) alert tcp $HOME_NET any -> [154.30.4.199] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513587/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513587; rev:1;) alert tcp $HOME_NET any -> [111.29.40.211] 4506 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513586/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513586; rev:1;) alert tcp $HOME_NET any -> [107.143.144.154] 8080 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513585/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513585; rev:1;) alert tcp $HOME_NET any -> [176.65.148.196] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513580/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513580; rev:1;) alert tcp $HOME_NET any -> [3.110.43.70] 59567 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513579/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513579; rev:1;) alert tcp $HOME_NET any -> [3.24.212.87] 7001 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513577/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513577; rev:1;) alert tcp $HOME_NET any -> [3.24.212.87] 9201 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513578/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antoanthongtin.site"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513575/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zealous-cohen.196-251-73-47.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513576/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513576; rev:1;) alert tcp $HOME_NET any -> [144.91.124.44] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513573; rev:1;) alert tcp $HOME_NET any -> [144.91.124.44] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513574/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513574; rev:1;) alert tcp $HOME_NET any -> [196.251.116.68] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513571/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513571; rev:1;) alert tcp $HOME_NET any -> [196.251.116.129] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513572/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xn--bz-hep-p9af.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513569/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beautiful-faraday.94-156-177-241.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513570/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513570; rev:1;) alert tcp $HOME_NET any -> [185.146.232.169] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513568/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513568; rev:1;) alert tcp $HOME_NET any -> [84.201.20.31] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513566/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513566; rev:1;) alert tcp $HOME_NET any -> [119.8.103.108] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513567/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513567; rev:1;) alert tcp $HOME_NET any -> [129.226.212.179] 11112 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513565/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vecturar.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513520/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gorillao.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513554/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"quonecony.live"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513555/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rusconfi.run"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513556/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"techwaveg.run"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513557/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"hungreecoq.run"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513558/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bardcauft.run"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513559/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lemurz.digital"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513560/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"surmisehotte.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513561/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"intelhube.live"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513562/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"62.3a.4t.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513563/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"62.3a.4t.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513553/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"clients.contology.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513552/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"smart-american.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513551/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"viridisw.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513521/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"archives-yn.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513547/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"moving-aims.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513548/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"property-send.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513549/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"senior-bottles.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513550/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/0x4emxv3"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513546/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513546; rev:1;) alert tcp $HOME_NET any -> [216.9.225.163] 27070 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513543/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513543; rev:1;) alert tcp $HOME_NET any -> [216.9.225.168] 13604 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513544/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513544; rev:1;) alert tcp $HOME_NET any -> [216.9.225.168] 13605 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513545/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"5502-3.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513539/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"klm21.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513540/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pureee.ydns.eu"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513541/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"wudthost.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513542/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pangacnc.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513538/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"js.kzlyxu.cn"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513537/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513537; rev:1;) alert tcp $HOME_NET any -> [193.26.115.124] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513536/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bypasspayload69.zapto.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513535/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"kazze1010-29924.portmap.io"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513534/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/a0x8px5p"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513533/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513533; rev:1;) alert tcp $HOME_NET any -> [160.250.134.185] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513532/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"deadpoolstart2051.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513528/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"district-cells.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513529/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rnmlz-95-88-102-149.a.free.pinggy.link"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513530/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rnxck-95-88-102-149.a.free.pinggy.link"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513531/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ugopounds/five/pvqdq929bsx_a_d_m1n_a.php"; depth:41; nocase; http.host; content:"94.156.177.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513527/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.141.233.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513526/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"45.192.164.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513525/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"49.113.75.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513524/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513524; rev:1;) alert tcp $HOME_NET any -> [64.176.225.161] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513523/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513523; rev:1;) alert tcp $HOME_NET any -> [82.116.45.20] 7777 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513522/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513522; rev:1;) alert tcp $HOME_NET any -> [94.98.218.137] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513519/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513519; rev:1;) alert tcp $HOME_NET any -> [149.210.24.9] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513518/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513518; rev:1;) alert tcp $HOME_NET any -> [66.179.93.49] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513517/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513517; rev:1;) alert tcp $HOME_NET any -> [185.84.161.194] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513516/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513516; rev:1;) alert tcp $HOME_NET any -> [162.252.173.119] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513514/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513514; rev:1;) alert tcp $HOME_NET any -> [194.26.29.44] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513515/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513515; rev:1;) alert tcp $HOME_NET any -> [211.192.69.59] 6001 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513513/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513513; rev:1;) alert tcp $HOME_NET any -> [74.177.197.62] 6001 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513512/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513512; rev:1;) alert tcp $HOME_NET any -> [64.23.209.98] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513510/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513510; rev:1;) alert tcp $HOME_NET any -> [5.181.159.88] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513511/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513511; rev:1;) alert tcp $HOME_NET any -> [3.36.21.173] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513507/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513507; rev:1;) alert tcp $HOME_NET any -> [4.207.15.13] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513508/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513508; rev:1;) alert tcp $HOME_NET any -> [172.236.137.60] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513509/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513509; rev:1;) alert tcp $HOME_NET any -> [34.102.87.198] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513505/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513505; rev:1;) alert tcp $HOME_NET any -> [94.156.35.94] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513506/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513506; rev:1;) alert tcp $HOME_NET any -> [45.12.151.19] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513504/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513504; rev:1;) alert tcp $HOME_NET any -> [106.15.127.125] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513503/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513503; rev:1;) alert tcp $HOME_NET any -> [179.43.186.234] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513501/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513501; rev:1;) alert tcp $HOME_NET any -> [116.198.229.197] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513502/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513502; rev:1;) alert tcp $HOME_NET any -> [20.199.40.114] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513500/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513500; rev:1;) alert tcp $HOME_NET any -> [47.92.156.2] 8843 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513499/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riid"; depth:5; nocase; http.host; content:"9techsyncq.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513498/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513498; rev:1;) alert tcp $HOME_NET any -> [38.54.14.89] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513497/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kewk"; depth:5; nocase; http.host; content:"yparakehjet.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513496/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbak"; depth:5; nocase; http.host; content:"wbtcgeared.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513495/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kewk"; depth:5; nocase; http.host; content:"vparakehjet.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513494/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbak"; depth:5; nocase; http.host; content:"sbtcgeared.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513493/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"ozenithcorde.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513492/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoxo"; depth:5; nocase; http.host; content:"hclarmodq.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513491/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"bzenithcorde.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513490/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apdo"; depth:5; nocase; http.host; content:"a.techguidet.digital"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513489/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktnt"; depth:5; nocase; http.host; content:"7buzzarddf.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513487/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/benj"; depth:5; nocase; http.host; content:"8bearjk.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513488/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apdo"; depth:5; nocase; http.host; content:"4techguidet.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513486/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kewk"; depth:5; nocase; http.host; content:"zparakehjet.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513485/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbak"; depth:5; nocase; http.host; content:"wa8btcgeared.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513484/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/benj"; depth:5; nocase; http.host; content:"tbearjk.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513483/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riid"; depth:5; nocase; http.host; content:"ftechsyncq.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513482/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"b6zenithcorde.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513481/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"azenithcorde.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513480/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"8zenithcorde.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513479/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoxo"; depth:5; nocase; http.host; content:"4clarmodq.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513478/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kewk"; depth:5; nocase; http.host; content:"0parakehjet.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513477/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riid"; depth:5; nocase; http.host; content:"gtechsyncq.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513475/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktnt"; depth:5; nocase; http.host; content:"hbuzzarddf.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513476/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktnt"; depth:5; nocase; http.host; content:"9hbuzzarddf.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513474/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wizu"; depth:5; nocase; http.host; content:"2-longitudde.digital"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513473/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513473; rev:1;) alert tcp $HOME_NET any -> [82.21.158.147] 9373 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513472/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513472; rev:1;) alert tcp $HOME_NET any -> [198.54.129.52] 6623 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513471/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tequ"; depth:5; nocase; http.host; content:"ufishgh.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513470/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riid"; depth:5; nocase; http.host; content:"ctechsyncq.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513469/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbak"; depth:5; nocase; http.host; content:"ybtcgeared.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513468/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbak"; depth:5; nocase; http.host; content:"y-btcgeared.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513467/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apdo"; depth:5; nocase; http.host; content:"utechguidet.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513466/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riid"; depth:5; nocase; http.host; content:"ptechsyncq.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513465/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tequ"; depth:5; nocase; http.host; content:"mfishgh.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513464/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kewk"; depth:5; nocase; http.host; content:"9parakehjet.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513463/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktnt"; depth:5; nocase; http.host; content:"8buzzarddf.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513462/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktnt"; depth:5; nocase; http.host; content:"3buzzarddf.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513461/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"0zenithcorde.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513460/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gapo"; depth:5; nocase; http.host; content:"waardvarkw.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513459/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"wealthperson.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513458/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513458; rev:1;) alert tcp $HOME_NET any -> [176.65.144.19] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513457/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ugopounds/five/pvqdq929bsx_a_d_m1n_a.php"; depth:41; nocase; http.host; content:"94.156.177.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513445/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513445; rev:1;) alert tcp $HOME_NET any -> [209.141.34.106] 60195 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513446/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dmlfq.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513447/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513447; rev:1;) alert tcp $HOME_NET any -> [189.1.219.57] 2095 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513448/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513448; rev:1;) alert tcp $HOME_NET any -> [176.65.138.151] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513449/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513449; rev:1;) alert tcp $HOME_NET any -> [35.84.54.233] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513439/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513439; rev:1;) alert tcp $HOME_NET any -> [3.111.245.7] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513438/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513438; rev:1;) alert tcp $HOME_NET any -> [13.237.25.45] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513437/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513437; rev:1;) alert tcp $HOME_NET any -> [144.126.213.111] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513436/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513436; rev:1;) alert tcp $HOME_NET any -> [104.197.96.132] 10443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513435/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513435; rev:1;) alert tcp $HOME_NET any -> [37.46.132.141] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513434/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513434; rev:1;) alert tcp $HOME_NET any -> [141.148.224.186] 55555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513433/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513433; rev:1;) alert tcp $HOME_NET any -> [44.237.17.191] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513432/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513432; rev:1;) alert tcp $HOME_NET any -> [103.197.226.6] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513431/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513431; rev:1;) alert tcp $HOME_NET any -> [143.198.212.64] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513430/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513430; rev:1;) alert tcp $HOME_NET any -> [3.38.68.100] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513429/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513429; rev:1;) alert tcp $HOME_NET any -> [209.38.57.27] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513428/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513428; rev:1;) alert tcp $HOME_NET any -> [34.9.145.167] 2053 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513427/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513427; rev:1;) alert tcp $HOME_NET any -> [158.160.166.124] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513426/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513426; rev:1;) alert tcp $HOME_NET any -> [172.105.191.247] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513425/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513425; rev:1;) alert tcp $HOME_NET any -> [108.61.171.130] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513424; rev:1;) alert tcp $HOME_NET any -> [34.228.11.30] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513423; rev:1;) alert tcp $HOME_NET any -> [16.171.23.7] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513422; rev:1;) alert tcp $HOME_NET any -> [103.127.135.159] 7000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513421; rev:1;) alert tcp $HOME_NET any -> [85.158.108.85] 42368 (msg:"ThreatFox Ares botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513420/; target:src_ip; metadata: confidence_level 90, first_seen 2025_04_29; classtype:trojan-activity; sid:91513420; rev:1;) alert tcp $HOME_NET any -> [156.208.58.131] 4445 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513419; rev:1;) alert tcp $HOME_NET any -> [196.251.73.47] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513418/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513418; rev:1;) alert tcp $HOME_NET any -> [188.130.154.246] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513417/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513417; rev:1;) alert tcp $HOME_NET any -> [198.44.168.41] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513414/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513414; rev:1;) alert tcp $HOME_NET any -> [198.44.168.41] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513415/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 90%)"; dns_query; content:"fervent-curran.45-77-153-108.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513416/; target:src_ip; metadata: confidence_level 90, first_seen 2025_04_29; classtype:trojan-activity; sid:91513416; rev:1;) alert tcp $HOME_NET any -> [77.83.175.103] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513413; rev:1;) alert tcp $HOME_NET any -> [47.237.20.48] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513412/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513412; rev:1;) alert tcp $HOME_NET any -> [27.106.121.98] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513411/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clfront-eu832.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lucticiq.run"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513337/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"porcupineq.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513338/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blacksmithz.run"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513339/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paraperw.live"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513340/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"axistechw.live"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513341/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513341; rev:1;) alert tcp $HOME_NET any -> [94.228.126.219] 443 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513350/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quag.cn"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513349/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yoloff.pages.dev"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513344/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513344; rev:1;) alert tcp $HOME_NET any -> [185.156.72.196] 80 (msg:"ThreatFox GCleaner botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513348/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513348; rev:1;) alert tcp $HOME_NET any -> [185.12.204.106] 22 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513351/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nasalcloud.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513364/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ppssl.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513365/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.js"; depth:5; nocase; http.host; content:"ace-project.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513383/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ace-project.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513384/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/dopi.zip"; depth:20; nocase; http.host; content:"www.eurobrandsindia.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513385/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"medievailfea.run"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513386/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h1.startingshabby.world"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wrltc.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513405/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513405; rev:1;) alert tcp $HOME_NET any -> [23.227.196.18] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513443/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/user/webpanel/readme.txt"; depth:34; nocase; http.host; content:"lthomasinsurance.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513409/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_29; classtype:trojan-activity; sid:91513409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qrczb.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513336/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pigshow.digital"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513335/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"relmake.pages.dev"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513334/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"security-2u6g-log.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513333/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/min.js"; depth:11; nocase; http.host; content:"wavob.top"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513331/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ugopounds/five/fre.php"; depth:23; nocase; http.host; content:"94.156.177.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513442/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513442; rev:1;) alert tcp $HOME_NET any -> [89.42.88.41] 8080 (msg:"ThreatFox Chaos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513441/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513441; rev:1;) alert tcp $HOME_NET any -> [102.96.214.106] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513440/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513440; rev:1;) alert tcp $HOME_NET any -> [37.120.210.211] 42830 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513408/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kewk"; depth:5; nocase; http.host; content:"pparakehjet.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513407/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbak"; depth:5; nocase; http.host; content:"4btcgeared.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513406/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_29; classtype:trojan-activity; sid:91513406; rev:1;) alert tcp $HOME_NET any -> [52.68.26.242] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513404/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513404; rev:1;) alert tcp $HOME_NET any -> [54.232.158.79] 18246 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513403/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513403; rev:1;) alert tcp $HOME_NET any -> [23.227.199.118] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qq.rqelo.live"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513402/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513402; rev:1;) alert tcp $HOME_NET any -> [194.180.158.38] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513400; rev:1;) alert tcp $HOME_NET any -> [37.27.249.115] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1618meritking.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513398; rev:1;) alert tcp $HOME_NET any -> [158.247.239.228] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513396; rev:1;) alert tcp $HOME_NET any -> [142.44.188.183] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513397; rev:1;) alert tcp $HOME_NET any -> [142.44.188.181] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513394; rev:1;) alert tcp $HOME_NET any -> [142.44.188.182] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513395; rev:1;) alert tcp $HOME_NET any -> [172.94.111.139] 16161 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513393; rev:1;) alert tcp $HOME_NET any -> [175.178.120.225] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_29; classtype:trojan-activity; sid:91513392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoxo"; depth:5; nocase; http.host; content:"rclarmodq.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513391/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tequ"; depth:5; nocase; http.host; content:"pfishgh.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513389/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqwu"; depth:5; nocase; http.host; content:"lucticiq.run"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513388/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tequ"; depth:5; nocase; http.host; content:"6fishgh.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513387/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxgd"; depth:5; nocase; http.host; content:"warldonvu.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513382/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuwxx"; depth:6; nocase; http.host; content:"utropiscbs.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513381/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"iwoodpeckersd.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513380/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513380; rev:1;) alert tcp $HOME_NET any -> [70.31.125.193] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513379/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513379; rev:1;) alert tcp $HOME_NET any -> [213.209.143.57] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513378/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513378; rev:1;) alert tcp $HOME_NET any -> [198.135.49.79] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513377/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513377; rev:1;) alert tcp $HOME_NET any -> [196.251.84.214] 8000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513376/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513376; rev:1;) alert tcp $HOME_NET any -> [195.211.191.54] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513375/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513375; rev:1;) alert tcp $HOME_NET any -> [191.112.9.128] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513374/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513374; rev:1;) alert tcp $HOME_NET any -> [176.65.140.153] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513373/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513373; rev:1;) alert tcp $HOME_NET any -> [172.111.137.167] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513372/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auid"; depth:5; nocase; http.host; content:"zenithcorde.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513371/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riid"; depth:5; nocase; http.host; content:"techsyncq.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513370/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apdo"; depth:5; nocase; http.host; content:"techguidet.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513369/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbak"; depth:5; nocase; http.host; content:"btcgeared.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513368/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513368; rev:1;) alert tcp $HOME_NET any -> [95.125.143.155] 80 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513363/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513363; rev:1;) alert tcp $HOME_NET any -> [62.182.82.146] 4444 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513362/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513362; rev:1;) alert tcp $HOME_NET any -> [23.227.199.59] 14443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513361/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513361; rev:1;) alert tcp $HOME_NET any -> [91.92.46.3] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513360/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513360; rev:1;) alert tcp $HOME_NET any -> [107.189.21.227] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513359/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513359; rev:1;) alert tcp $HOME_NET any -> [15.168.20.99] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513358/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513358; rev:1;) alert tcp $HOME_NET any -> [114.55.28.140] 18088 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513357/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513357; rev:1;) alert tcp $HOME_NET any -> [185.195.65.195] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513356/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513356; rev:1;) alert tcp $HOME_NET any -> [107.151.246.44] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513355/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513355; rev:1;) alert tcp $HOME_NET any -> [103.233.253.26] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513353/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513353; rev:1;) alert tcp $HOME_NET any -> [43.242.201.14] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513354/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513354; rev:1;) alert tcp $HOME_NET any -> [85.93.9.165] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513352/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513352; rev:1;) alert tcp $HOME_NET any -> [67.205.137.180] 38975 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513345/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513345; rev:1;) alert tcp $HOME_NET any -> [67.205.137.180] 41829 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513346/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513346; rev:1;) alert tcp $HOME_NET any -> [128.199.208.158] 8456 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513347/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kamru.su"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513342/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ukrainianhorseriding.kamru.su"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513343/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"u1.paralegalchemicals.run"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513332/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/renq"; depth:5; nocase; http.host; content:"sorcery.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513330/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"rwoodpeckersd.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513329/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"ogeographys.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513328/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tequ"; depth:5; nocase; http.host; content:"ifishgh.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513327/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tured"; depth:6; nocase; http.host; content:"bardcauft.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513326/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aplhadrink.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513308/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lwhkr.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513309/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fwwls.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513322/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ringtoday.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513321/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kingrouder.tech"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513325/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"pclimatologfy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513324/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuwxx"; depth:6; nocase; http.host; content:"5tropiscbs.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513323/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513323; rev:1;) alert tcp $HOME_NET any -> [109.120.137.79] 401 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513320/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513320; rev:1;) alert tcp $HOME_NET any -> [49.12.113.201] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513317/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513317; rev:1;) alert tcp $HOME_NET any -> [65.109.240.225] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513318/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513318; rev:1;) alert tcp $HOME_NET any -> [5.75.209.111] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513319/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3a.4t.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513315/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"71.3a.4t.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513316/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"71.3a.4t.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513312/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.113.201"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513313/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.240.225"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513314/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199851454339"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513310/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m00f3r"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513311/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513311; rev:1;) alert tcp $HOME_NET any -> [85.9.198.162] 8080 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513307/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513307; rev:1;) alert tcp $HOME_NET any -> [34.134.221.76] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513306/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513306; rev:1;) alert tcp $HOME_NET any -> [45.141.233.172] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513305/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513305; rev:1;) alert tcp $HOME_NET any -> [84.32.188.17] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513303; rev:1;) alert tcp $HOME_NET any -> [209.38.253.70] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513304; rev:1;) alert tcp $HOME_NET any -> [113.44.152.64] 6667 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513302; rev:1;) alert tcp $HOME_NET any -> [198.44.168.41] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513301/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cgplk.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513299; rev:1;) alert tcp $HOME_NET any -> [185.228.234.238] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"titanumsheld.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/select.js"; depth:14; nocase; http.host; content:"wavob.top"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wavob.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/lll.php"; depth:12; nocase; http.host; content:"wavob.top"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/leki.zip"; depth:20; nocase; http.host; content:"www.eurobrandsindia.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2rivercsg.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513298/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profilelayout"; depth:14; nocase; http.host; content:"cpanel.paulmaguire.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513288/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ms2.rybos.fun"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513289/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vuram.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513290/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"magiklink.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513291/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"julerise.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513274/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.paulmaguire.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513278/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/min.js"; depth:11; nocase; http.host; content:"xelesex.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513279/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xelesex.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513280/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/select.js"; depth:14; nocase; http.host; content:"xelesex.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513281/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/kile.zip"; depth:20; nocase; http.host; content:"www.eurobrandsindia.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513283/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifh/lll.php"; depth:12; nocase; http.host; content:"xelesex.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513282/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.eurobrandsindia.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513284/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513284; rev:1;) alert tcp $HOME_NET any -> [185.225.17.74] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513285/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"folew.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513286/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lammysecurity.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513287/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513287; rev:1;) alert tcp $HOME_NET any -> [47.253.165.251] 7890 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513277/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"quzem.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"152.252.95.130"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513275/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_28; classtype:trojan-activity; sid:91513275; rev:1;) alert tcp $HOME_NET any -> [185.244.30.100] 4802 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513273/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513273; rev:1;) alert tcp $HOME_NET any -> [185.244.30.100] 4800 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513271/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513271; rev:1;) alert tcp $HOME_NET any -> [185.244.30.100] 4801 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513272/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513272; rev:1;) alert tcp $HOME_NET any -> [147.124.221.148] 19000 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513270/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513270; rev:1;) alert tcp $HOME_NET any -> [47.90.155.109] 3000 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513269/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513269; rev:1;) alert tcp $HOME_NET any -> [91.151.95.206] 50001 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513268/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513268; rev:1;) alert tcp $HOME_NET any -> [23.88.62.122] 8090 (msg:"ThreatFox Chaos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513267/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513267; rev:1;) alert tcp $HOME_NET any -> [91.229.239.12] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513266/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513266; rev:1;) alert tcp $HOME_NET any -> [13.244.95.122] 44819 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513265/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513265; rev:1;) alert tcp $HOME_NET any -> [172.187.178.33] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513264/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513264; rev:1;) alert tcp $HOME_NET any -> [193.233.203.26] 8993 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513263; rev:1;) alert tcp $HOME_NET any -> [155.138.132.158] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513261/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513261; rev:1;) alert tcp $HOME_NET any -> [102.117.172.150] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513262/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513262; rev:1;) alert tcp $HOME_NET any -> [80.64.30.203] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513260/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513260; rev:1;) alert tcp $HOME_NET any -> [196.251.116.129] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513259/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513259; rev:1;) alert tcp $HOME_NET any -> [154.211.90.252] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513256/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513256; rev:1;) alert tcp $HOME_NET any -> [82.223.48.201] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513257/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513257; rev:1;) alert tcp $HOME_NET any -> [158.220.83.114] 1005 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513258/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513258; rev:1;) alert tcp $HOME_NET any -> [154.211.90.65] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513255/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513255; rev:1;) alert tcp $HOME_NET any -> [8.219.49.148] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513254/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513254; rev:1;) alert tcp $HOME_NET any -> [3.252.248.209] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513253/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513253; rev:1;) alert tcp $HOME_NET any -> [39.100.70.144] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513252/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5t3e.js"; depth:8; nocase; http.host; content:"jimriehls.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513248/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jimriehls.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513249/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"jimriehls.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513250/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"doreblue.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513251/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"154.31.216.212"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513247/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"milerdrew.cc"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513244/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sign/in"; depth:8; nocase; http.host; content:"solidwork.pro"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513245/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"solidwork.pro"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513246/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513246; rev:1;) alert tcp $HOME_NET any -> [195.128.100.227] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513243/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513243; rev:1;) alert tcp $HOME_NET any -> [84.38.189.55] 6443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513242/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513242; rev:1;) alert tcp $HOME_NET any -> [70.176.149.88] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513241/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513241; rev:1;) alert tcp $HOME_NET any -> [31.131.251.47] 10250 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513240/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513240; rev:1;) alert tcp $HOME_NET any -> [196.251.69.149] 8000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513239/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tequ"; depth:5; nocase; http.host; content:"gfishgh.digital"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513238/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"awoodpeckersd.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513237/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktnt"; depth:5; nocase; http.host; content:"9buzzarddf.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513236/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kewk"; depth:5; nocase; http.host; content:"24parakehjet.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513235/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoxo"; depth:5; nocase; http.host; content:"1u6clarmodq.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513234/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513234; rev:1;) alert tcp $HOME_NET any -> [142.171.44.245] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513233/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513233; rev:1;) alert tcp $HOME_NET any -> [196.251.86.182] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513232/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlak"; depth:5; nocase; http.host; content:"6topographky.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513231/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"0tbiosphxere.digital"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513230/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"sofacent.icu"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513229/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"coveridea.icu"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513228/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sign/in"; depth:8; nocase; http.host; content:"asperod.tech"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513226/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asperod.tech"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513227/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513227; rev:1;) alert tcp $HOME_NET any -> [195.2.92.39] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513225/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513225; rev:1;) alert tcp $HOME_NET any -> [154.21.201.16] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513224/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513224; rev:1;) alert tcp $HOME_NET any -> [84.32.22.36] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513222/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.normanwaddell.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513223/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513223; rev:1;) alert tcp $HOME_NET any -> [42.118.180.174] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513221/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513221; rev:1;) alert tcp $HOME_NET any -> [116.104.55.173] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513217/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513217; rev:1;) alert tcp $HOME_NET any -> [116.104.55.159] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513218/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513218; rev:1;) alert tcp $HOME_NET any -> [58.186.113.141] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513219/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513219; rev:1;) alert tcp $HOME_NET any -> [58.186.168.187] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513220/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513220; rev:1;) alert tcp $HOME_NET any -> [116.104.55.175] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513213/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513213; rev:1;) alert tcp $HOME_NET any -> [116.104.55.150] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513214/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513214; rev:1;) alert tcp $HOME_NET any -> [42.118.180.168] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513215/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513215; rev:1;) alert tcp $HOME_NET any -> [171.224.210.244] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513216/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513216; rev:1;) alert tcp $HOME_NET any -> [116.104.55.198] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513210/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513210; rev:1;) alert tcp $HOME_NET any -> [42.118.180.182] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513211/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513211; rev:1;) alert tcp $HOME_NET any -> [58.186.113.138] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513212/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bookings.odoc.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513209/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513209; rev:1;) alert tcp $HOME_NET any -> [128.199.68.233] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513207/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513207; rev:1;) alert tcp $HOME_NET any -> [107.189.21.227] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513208/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513208; rev:1;) alert tcp $HOME_NET any -> [95.129.234.24] 3333 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513206/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513206; rev:1;) alert tcp $HOME_NET any -> [151.236.16.211] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513205/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513205; rev:1;) alert tcp $HOME_NET any -> [47.93.25.72] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513204/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dubyl.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513203/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9dvj"; depth:5; nocase; http.host; content:"192.168.1.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513195/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mylan.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513196/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zenithcorde.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513197/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"techguidet.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513198/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"btcgeared.live"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513199/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"techsyncq.run"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513200/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"toptalentw.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513201/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"drindin.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513202/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tyfew.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513194/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513194; rev:1;) alert tcp $HOME_NET any -> [159.138.34.64] 56789 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513151; rev:1;) alert tcp $HOME_NET any -> [196.251.116.115] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"denemescprittt.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513153; rev:1;) alert tcp $HOME_NET any -> [195.211.191.54] 2983 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513154; rev:1;) alert tcp $HOME_NET any -> [196.251.116.68] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513155; rev:1;) alert tcp $HOME_NET any -> [167.71.236.37] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513156; rev:1;) alert tcp $HOME_NET any -> [187.101.165.234] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513157; rev:1;) alert tcp $HOME_NET any -> [154.91.226.168] 443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513158; rev:1;) alert tcp $HOME_NET any -> [103.127.135.159] 81 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513159; rev:1;) alert tcp $HOME_NET any -> [103.127.135.159] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513160; rev:1;) alert tcp $HOME_NET any -> [103.127.135.159] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513161; rev:1;) alert tcp $HOME_NET any -> [103.127.135.159] 8000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513162; rev:1;) alert tcp $HOME_NET any -> [103.127.135.159] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513163; rev:1;) alert tcp $HOME_NET any -> [103.127.135.159] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513164; rev:1;) alert tcp $HOME_NET any -> [121.37.237.250] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513165; rev:1;) alert tcp $HOME_NET any -> [54.75.31.65] 3636 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513166; rev:1;) alert tcp $HOME_NET any -> [34.34.87.254] 4141 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513167; rev:1;) alert tcp $HOME_NET any -> [222.184.253.70] 56562 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513168; rev:1;) alert tcp $HOME_NET any -> [80.211.194.153] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513169; rev:1;) alert tcp $HOME_NET any -> [34.244.45.33] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513170; rev:1;) alert tcp $HOME_NET any -> [186.67.120.154] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513171/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513171; rev:1;) alert tcp $HOME_NET any -> [18.201.179.180] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513172/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513172; rev:1;) alert tcp $HOME_NET any -> [52.215.233.215] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513173/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513173; rev:1;) alert tcp $HOME_NET any -> [3.254.210.225] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513174/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513174; rev:1;) alert tcp $HOME_NET any -> [34.9.145.167] 2083 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513175/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513175; rev:1;) alert tcp $HOME_NET any -> [193.134.211.236] 3334 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513176/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513176; rev:1;) alert tcp $HOME_NET any -> [164.90.216.69] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513177/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513177; rev:1;) alert tcp $HOME_NET any -> [149.90.103.193] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513178/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513178; rev:1;) alert tcp $HOME_NET any -> [47.238.30.194] 8088 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513179/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513179; rev:1;) alert tcp $HOME_NET any -> [44.233.122.24] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513180/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513180; rev:1;) alert tcp $HOME_NET any -> [44.233.122.24] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513181/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513181; rev:1;) alert tcp $HOME_NET any -> [168.138.2.167] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513182/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513182; rev:1;) alert tcp $HOME_NET any -> [143.110.147.139] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513183/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513183; rev:1;) alert tcp $HOME_NET any -> [51.75.22.182] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513184/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513184; rev:1;) alert tcp $HOME_NET any -> [142.171.29.139] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513185/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513185; rev:1;) alert tcp $HOME_NET any -> [3.125.68.215] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513186; rev:1;) alert tcp $HOME_NET any -> [3.125.68.215] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513187/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513187; rev:1;) alert tcp $HOME_NET any -> [206.238.68.237] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ddos.dnsnb8.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513123/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513123; rev:1;) alert tcp $HOME_NET any -> [172.111.163.163] 3911 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513143/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513143; rev:1;) alert tcp $HOME_NET any -> [147.93.111.114] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513122/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_28; classtype:trojan-activity; sid:91513122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"cloud.social-neos.eu"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513145/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"archiv.social-neos.eu"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513144/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"eyon-neos.eu"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513146/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"quest.social-neos.eu"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513147/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ezl2"; depth:5; nocase; http.host; content:"47.92.166.75"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513150/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aluminumsternness.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"aluminumsternness.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513189/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fivel.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513191/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513191; rev:1;) alert tcp $HOME_NET any -> [23.95.140.60] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513089; rev:1;) alert tcp $HOME_NET any -> [23.94.70.113] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513090; rev:1;) alert tcp $HOME_NET any -> [34.96.225.28] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513091; rev:1;) alert tcp $HOME_NET any -> [139.59.247.82] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513092; rev:1;) alert tcp $HOME_NET any -> [103.215.78.185] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513095; rev:1;) alert tcp $HOME_NET any -> [64.185.233.163] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513093; rev:1;) alert tcp $HOME_NET any -> [23.94.70.114] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513096; rev:1;) alert tcp $HOME_NET any -> [27.124.34.26] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513097; rev:1;) alert tcp $HOME_NET any -> [27.124.34.31] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513098; rev:1;) alert tcp $HOME_NET any -> [107.173.111.26] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513099; rev:1;) alert tcp $HOME_NET any -> [103.215.78.213] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513100; rev:1;) alert tcp $HOME_NET any -> [38.54.16.203] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513101; rev:1;) alert tcp $HOME_NET any -> [38.147.170.252] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513102; rev:1;) alert tcp $HOME_NET any -> [35.78.114.163] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513104; rev:1;) alert tcp $HOME_NET any -> [165.154.199.35] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513105; rev:1;) alert tcp $HOME_NET any -> [198.58.100.186] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513103; rev:1;) alert tcp $HOME_NET any -> [27.124.34.25] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513106; rev:1;) alert tcp $HOME_NET any -> [192.253.235.50] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513107; rev:1;) alert tcp $HOME_NET any -> [47.108.175.134] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513108; rev:1;) alert tcp $HOME_NET any -> [114.116.254.52] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513109; rev:1;) alert tcp $HOME_NET any -> [206.238.70.142] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513110; rev:1;) alert tcp $HOME_NET any -> [103.79.118.72] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513111; rev:1;) alert tcp $HOME_NET any -> [16.163.161.51] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513112; rev:1;) alert tcp $HOME_NET any -> [64.185.233.162] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513113; rev:1;) alert tcp $HOME_NET any -> [66.135.26.190] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513114; rev:1;) alert tcp $HOME_NET any -> [103.12.148.112] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513115; rev:1;) alert tcp $HOME_NET any -> [23.95.44.47] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 25%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"20.54.80.208"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1513117/; target:src_ip; metadata: confidence_level 25, first_seen 2025_04_28; classtype:trojan-activity; sid:91513117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wudav.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513118; rev:1;) alert tcp $HOME_NET any -> [185.228.72.71] 1533 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513035/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513035; rev:1;) alert tcp $HOME_NET any -> [62.60.226.101] 40104 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513073/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513073; rev:1;) alert tcp $HOME_NET any -> [62.60.226.21] 40103 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513075/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513075; rev:1;) alert tcp $HOME_NET any -> [193.151.108.40] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513087/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_28; classtype:trojan-activity; sid:91513087; rev:1;) alert tcp $HOME_NET any -> [62.60.226.21] 40104 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513074/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513074; rev:1;) alert tcp $HOME_NET any -> [185.29.11.31] 3765 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513076/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513076; rev:1;) alert tcp $HOME_NET any -> [46.246.14.5] 2404 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513033/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513033; rev:1;) alert tcp $HOME_NET any -> [52.57.120.10] 12802 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513034/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513034; rev:1;) alert tcp $HOME_NET any -> [62.60.226.21] 40105 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513072/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"foqin.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513030; rev:1;) alert tcp $HOME_NET any -> [78.159.131.80] 81 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513031/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513031; rev:1;) alert tcp $HOME_NET any -> [182.92.131.115] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513193/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513193; rev:1;) alert tcp $HOME_NET any -> [43.140.243.146] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513192/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hovno.tobim6.eu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513188/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513188; rev:1;) alert tcp $HOME_NET any -> [124.221.56.49] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513149/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513149; rev:1;) alert tcp $HOME_NET any -> [196.251.86.197] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513148/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_28; classtype:trojan-activity; sid:91513148; rev:1;) alert tcp $HOME_NET any -> [62.60.187.68] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513142; rev:1;) alert tcp $HOME_NET any -> [144.126.246.44] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513141; rev:1;) alert tcp $HOME_NET any -> [195.210.178.70] 16993 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-84-178-184.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-251-180-166.ap-southeast-1.compute.amazonaws.com"; depth:55; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513138; rev:1;) alert tcp $HOME_NET any -> [51.195.91.59] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513137; rev:1;) alert tcp $HOME_NET any -> [196.251.116.129] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513136; rev:1;) alert tcp $HOME_NET any -> [45.192.164.238] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513135; rev:1;) alert tcp $HOME_NET any -> [172.94.111.186] 16161 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_28; classtype:trojan-activity; sid:91513134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoxo"; depth:5; nocase; http.host; content:"qclarmodq.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513133/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mnbvj"; depth:6; nocase; http.host; content:"pixelcodey.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513132/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"owoodpeckersd.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513131/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuwxx"; depth:6; nocase; http.host; content:"ntropiscbs.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513130/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dsiu"; depth:5; nocase; http.host; content:"mobitront.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513129/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"kbiosphxere.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513128/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"8geographys.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513126/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlak"; depth:5; nocase; http.host; content:"9topographky.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513127/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoxo"; depth:5; nocase; http.host; content:"1clarmodq.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513124/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banb"; depth:5; nocase; http.host; content:"2gvigorbridgoe.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513125/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoxo"; depth:5; nocase; http.host; content:"sclarmodq.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513121/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/benj"; depth:5; nocase; http.host; content:"fbearjk.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513120/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"dwoodpeckersd.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513119/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513119; rev:1;) alert tcp $HOME_NET any -> [68.32.77.103] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513088/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513088; rev:1;) alert tcp $HOME_NET any -> [5.188.33.181] 8999 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513086/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513086; rev:1;) alert tcp $HOME_NET any -> [45.88.186.77] 7232 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513085/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513085; rev:1;) alert tcp $HOME_NET any -> [45.141.233.95] 7501 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513084/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513084; rev:1;) alert tcp $HOME_NET any -> [45.134.48.104] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513083/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513083; rev:1;) alert tcp $HOME_NET any -> [37.114.63.40] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513082/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513082; rev:1;) alert tcp $HOME_NET any -> [211.159.153.5] 60211 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513081/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513081; rev:1;) alert tcp $HOME_NET any -> [165.22.212.253] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513080/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513080; rev:1;) alert tcp $HOME_NET any -> [144.172.94.210] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513079/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513079; rev:1;) alert tcp $HOME_NET any -> [107.173.4.10] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513078/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513078; rev:1;) alert tcp $HOME_NET any -> [103.233.8.39] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513077/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513077; rev:1;) alert tcp $HOME_NET any -> [147.185.221.22] 40278 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513071/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"he-tracks.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513070/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/nkaephyj"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513069/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uracnc.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513068/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"28.ip.gl.ply.gg"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513065/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"hi-tokyo.gl.at.ply.gg"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513066/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"itself-perfectly.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513067/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"154.37.213.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513064/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513064; rev:1;) alert tcp $HOME_NET any -> [103.82.36.111] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513063/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513063; rev:1;) alert tcp $HOME_NET any -> [64.226.97.103] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513062; rev:1;) alert tcp $HOME_NET any -> [54.95.221.112] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513061; rev:1;) alert tcp $HOME_NET any -> [46.137.224.70] 50389 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513060/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513060; rev:1;) alert tcp $HOME_NET any -> [20.244.94.209] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513058; rev:1;) alert tcp $HOME_NET any -> [154.21.201.16] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513059/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513059; rev:1;) alert tcp $HOME_NET any -> [103.68.251.236] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513057; rev:1;) alert tcp $HOME_NET any -> [94.228.189.140] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513056/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513056; rev:1;) alert tcp $HOME_NET any -> [196.251.116.68] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513054; rev:1;) alert tcp $HOME_NET any -> [196.251.116.68] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513055; rev:1;) alert tcp $HOME_NET any -> [136.144.164.95] 3131 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513053/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513053; rev:1;) alert tcp $HOME_NET any -> [84.9.20.90] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513052/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513052; rev:1;) alert tcp $HOME_NET any -> [8.217.196.192] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513051; rev:1;) alert tcp $HOME_NET any -> [115.233.60.197] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513050/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513050; rev:1;) alert tcp $HOME_NET any -> [78.164.223.72] 444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513049/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513049; rev:1;) alert tcp $HOME_NET any -> [212.69.167.73] 5986 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513048/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513048; rev:1;) alert tcp $HOME_NET any -> [84.46.239.239] 10443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513047/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513047; rev:1;) alert tcp $HOME_NET any -> [118.122.8.155] 3155 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513044/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513044; rev:1;) alert tcp $HOME_NET any -> [52.23.156.175] 35250 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513045/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513045; rev:1;) alert tcp $HOME_NET any -> [52.23.156.175] 17000 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513046/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513046; rev:1;) alert tcp $HOME_NET any -> [106.75.215.144] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513042/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513042; rev:1;) alert tcp $HOME_NET any -> [212.113.112.126] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513043/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513043; rev:1;) alert tcp $HOME_NET any -> [185.26.236.38] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513040/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513040; rev:1;) alert tcp $HOME_NET any -> [185.196.8.7] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513041/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513041; rev:1;) alert tcp $HOME_NET any -> [118.195.189.82] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513039/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513039; rev:1;) alert tcp $HOME_NET any -> [118.107.221.14] 9988 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513038/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513038; rev:1;) alert tcp $HOME_NET any -> [123.249.97.76] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513037/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513037; rev:1;) alert tcp $HOME_NET any -> [123.249.20.20] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513036/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"111.9.73.250"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513032/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"syvuk.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gusex.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513028/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513028; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 46796 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513025/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513025; rev:1;) alert tcp $HOME_NET any -> [209.141.62.246] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513016; rev:1;) alert tcp $HOME_NET any -> [163.123.183.240] 4455 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 25%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513018/; target:src_ip; metadata: confidence_level 25, first_seen 2025_04_27; classtype:trojan-activity; sid:91513018; rev:1;) alert tcp $HOME_NET any -> [83.149.72.49] 4454 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 25%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513019/; target:src_ip; metadata: confidence_level 25, first_seen 2025_04_27; classtype:trojan-activity; sid:91513019; rev:1;) alert tcp $HOME_NET any -> [45.62.170.102] 3465 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 25%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513020/; target:src_ip; metadata: confidence_level 25, first_seen 2025_04_27; classtype:trojan-activity; sid:91513020; rev:1;) alert tcp $HOME_NET any -> [45.62.170.102] 3098 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 25%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513021/; target:src_ip; metadata: confidence_level 25, first_seen 2025_04_27; classtype:trojan-activity; sid:91513021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"166.108.206.56"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mubub.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513023; rev:1;) alert tcp $HOME_NET any -> [103.198.26.208] 56796 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513024/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513024; rev:1;) alert tcp $HOME_NET any -> [103.198.26.208] 12167 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513026/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513026; rev:1;) alert tcp $HOME_NET any -> [103.186.117.96] 23951 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513027/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dizec.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mobitront.run"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/benj"; depth:5; nocase; http.host; content:"bearjk.live"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tequ"; depth:5; nocase; http.host; content:"fishgh.digital"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mediaflowq.run"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513012; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 63497 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513013/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91513013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 95%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/42cf1c2250951"; depth:16; nocase; http.host; content:"www.smoffrs.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513015/; target:src_ip; metadata: confidence_level 95, first_seen 2025_04_27; classtype:trojan-activity; sid:91513015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.zigui.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513007/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"techmindj.live"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ixau"; depth:5; nocase; http.host; content:"5cartograhphy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1513017/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91513017; rev:1;) alert tcp $HOME_NET any -> [49.234.198.243] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1513014/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zatoh.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1513005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91513005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tycyn.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512066/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuwxx"; depth:6; nocase; http.host; content:"mqtropiscbs.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512071/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91512071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktnt"; depth:5; nocase; http.host; content:"buzzarddf.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512072/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91512072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kewk"; depth:5; nocase; http.host; content:"parakehjet.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512073/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91512073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/benj"; depth:5; nocase; http.host; content:"n-ubearjk.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512074/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91512074; rev:1;) alert tcp $HOME_NET any -> [45.131.64.83] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512106; rev:1;) alert tcp $HOME_NET any -> [8.211.157.140] 3000 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512105; rev:1;) alert tcp $HOME_NET any -> [23.27.48.113] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512104; rev:1;) alert tcp $HOME_NET any -> [51.75.47.21] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512102; rev:1;) alert tcp $HOME_NET any -> [160.250.137.168] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512103; rev:1;) alert tcp $HOME_NET any -> [102.96.214.223] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512100; rev:1;) alert tcp $HOME_NET any -> [15.206.179.134] 28080 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512101; rev:1;) alert tcp $HOME_NET any -> [154.91.226.118] 443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512099; rev:1;) alert tcp $HOME_NET any -> [37.213.58.192] 25565 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"31033-49848.bacloud.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"office-mirror-ue.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512096; rev:1;) alert tcp $HOME_NET any -> [69.166.65.136] 4480 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512094; rev:1;) alert tcp $HOME_NET any -> [125.143.10.145] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"domzblueman.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512093; rev:1;) alert tcp $HOME_NET any -> [141.98.115.179] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512092; rev:1;) alert tcp $HOME_NET any -> [102.117.167.97] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512091; rev:1;) alert tcp $HOME_NET any -> [176.65.144.95] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512089; rev:1;) alert tcp $HOME_NET any -> [196.251.116.152] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512090; rev:1;) alert tcp $HOME_NET any -> [45.88.186.48] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512086; rev:1;) alert tcp $HOME_NET any -> [47.92.223.52] 5986 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512087; rev:1;) alert tcp $HOME_NET any -> [196.251.116.129] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512088; rev:1;) alert tcp $HOME_NET any -> [45.88.186.48] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512085; rev:1;) alert tcp $HOME_NET any -> [47.97.42.177] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512084; rev:1;) alert tcp $HOME_NET any -> [159.75.154.118] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512083; rev:1;) alert tcp $HOME_NET any -> [139.180.222.187] 53 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512082; rev:1;) alert tcp $HOME_NET any -> [110.41.181.247] 60052 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512081/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512081; rev:1;) alert tcp $HOME_NET any -> [8.130.129.187] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512078; rev:1;) alert tcp $HOME_NET any -> [143.47.251.31] 1435 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512079; rev:1;) alert tcp $HOME_NET any -> [123.249.20.20] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512080; rev:1;) alert tcp $HOME_NET any -> [52.140.245.31] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512070/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512070; rev:1;) alert tcp $HOME_NET any -> [43.153.225.68] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512069/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512069; rev:1;) alert tcp $HOME_NET any -> [137.220.232.142] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512068/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"4a33131c-0fd3-4beb-bb52-c1bee6551841-00-2pvukptvjihkt.worf.replit.dev"; depth:69; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512067/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fisop.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512048/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"security-7f2c-run.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512050/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"techcastlev.live"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jusev.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"heraldryr.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512052/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dragonfireq.digital"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512053/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blacksmeiths.digital"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512054/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sorcery.digital"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512055/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stackwaven.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512056/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rushelectc.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512057/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"automazye.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512058/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webmindsk.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512059/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hyperforge.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512060/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"courtjew.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512061/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"maxcloudr.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512062/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sieeraft.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512063/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bytequesty.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512064/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gameverseb.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512065/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buzzarddf.live"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512040/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fishgh.digital"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512041/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"parakehjet.run"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512042/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bearjk.live"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512043/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crocodilefg.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512044/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"twoodpeckersd.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512047/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"i8geographys.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512046/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"vgeographys.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512045/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"puxup.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512032; rev:1;) alert tcp $HOME_NET any -> [88.89.219.235] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512039/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512039; rev:1;) alert tcp $HOME_NET any -> [70.31.125.227] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512038/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512038; rev:1;) alert tcp $HOME_NET any -> [56.124.95.65] 43877 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512037/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512037; rev:1;) alert tcp $HOME_NET any -> [43.135.9.55] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512036/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512036; rev:1;) alert tcp $HOME_NET any -> [27.124.2.7] 114 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512035/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512035; rev:1;) alert tcp $HOME_NET any -> [196.251.116.129] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512034/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512034; rev:1;) alert tcp $HOME_NET any -> [18.230.74.250] 1521 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512033/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512033; rev:1;) alert tcp $HOME_NET any -> [13.203.215.200] 18444 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512031/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ixau"; depth:5; nocase; http.host; content:"ucartograhphy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512030/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ixau"; depth:5; nocase; http.host; content:"tcartograhphy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512029/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlak"; depth:5; nocase; http.host; content:"stopographky.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512028/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"sgeographys.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512027/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"qclimatologfy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512025/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"qwoodpeckersd.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512026/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlak"; depth:5; nocase; http.host; content:"ootopographky.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512024/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuwxx"; depth:6; nocase; http.host; content:"h-tropiscbs.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512023/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ixau"; depth:5; nocase; http.host; content:"gcartograhphy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512022/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"battlesummer.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"buildingsuggestion.sbs"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/biks.php"; depth:9; nocase; http.host; content:"factlow.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backparty.icu"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spoonarch.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512018; rev:1;) alert tcp $HOME_NET any -> [204.10.160.146] 49263 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512016/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91512016; rev:1;) alert tcp $HOME_NET any -> [124.70.204.188] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511953/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.tomo.ink"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511952/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511952; rev:1;) alert tcp $HOME_NET any -> [103.117.120.98] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511954/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511954; rev:1;) alert tcp $HOME_NET any -> [118.178.224.193] 18088 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511955/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511955; rev:1;) alert tcp $HOME_NET any -> [78.164.223.72] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511956/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511956; rev:1;) alert tcp $HOME_NET any -> [24.199.79.214] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511957/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511957; rev:1;) alert tcp $HOME_NET any -> [162.250.121.174] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511958/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511958; rev:1;) alert tcp $HOME_NET any -> [176.65.143.79] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511959/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn.founderic.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511960/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511960; rev:1;) alert tcp $HOME_NET any -> [134.122.184.34] 5671 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511961/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511961; rev:1;) alert tcp $HOME_NET any -> [143.92.36.194] 443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511962/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511962; rev:1;) alert tcp $HOME_NET any -> [103.127.135.159] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511963/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511963; rev:1;) alert tcp $HOME_NET any -> [103.127.135.159] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511964/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511964; rev:1;) alert tcp $HOME_NET any -> [103.127.135.159] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511965/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511965; rev:1;) alert tcp $HOME_NET any -> [168.138.9.209] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511974/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511974; rev:1;) alert tcp $HOME_NET any -> [167.172.172.244] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511968/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511968; rev:1;) alert tcp $HOME_NET any -> [34.244.224.23] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511969/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511969; rev:1;) alert tcp $HOME_NET any -> [51.91.254.63] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511970/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511970; rev:1;) alert tcp $HOME_NET any -> [163.61.110.131] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511966/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511966; rev:1;) alert tcp $HOME_NET any -> [104.131.42.123] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511967/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511967; rev:1;) alert tcp $HOME_NET any -> [13.233.110.104] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511971/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511971; rev:1;) alert tcp $HOME_NET any -> [34.254.151.229] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511972/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511972; rev:1;) alert tcp $HOME_NET any -> [52.78.192.163] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511973/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511973; rev:1;) alert tcp $HOME_NET any -> [218.1.136.243] 8181 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511975/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511975; rev:1;) alert tcp $HOME_NET any -> [185.108.4.106] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511977/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511977; rev:1;) alert tcp $HOME_NET any -> [35.219.123.100] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511976/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511976; rev:1;) alert tcp $HOME_NET any -> [159.223.37.117] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511978/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511978; rev:1;) alert tcp $HOME_NET any -> [34.72.179.141] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511979/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511979; rev:1;) alert tcp $HOME_NET any -> [34.244.244.190] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511980/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511980; rev:1;) alert tcp $HOME_NET any -> [200.170.159.131] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511981/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511981; rev:1;) alert tcp $HOME_NET any -> [64.62.141.66] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511982/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511982; rev:1;) alert tcp $HOME_NET any -> [142.202.189.200] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511983/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511983; rev:1;) alert tcp $HOME_NET any -> [52.33.244.242] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511984/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511984; rev:1;) alert tcp $HOME_NET any -> [18.192.202.122] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511985/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511985; rev:1;) alert tcp $HOME_NET any -> [18.192.202.122] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511986/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511986; rev:1;) alert tcp $HOME_NET any -> [107.172.100.174] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511987/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zipuk.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511988/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"puqum.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511942/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511942; rev:1;) alert tcp $HOME_NET any -> [94.26.90.81] 6666 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511948/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91511948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"javascript-67t.pages.dev"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ixau"; depth:5; nocase; http.host; content:"s4cartograhphy.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511941/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"security-9y5v-scan.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511920; rev:1;) alert tcp $HOME_NET any -> [176.98.185.41] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xm.txt"; depth:7; nocase; http.host; content:"daltum.mx"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511869/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"daltum.mx"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511870/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bojut.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511900/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"161.129.65.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511867/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tahip.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511868/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511868; rev:1;) alert tcp $HOME_NET any -> [176.65.142.122] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511866/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91511866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.232.5.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512015/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91512015; rev:1;) alert tcp $HOME_NET any -> [113.44.168.133] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512014/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512014; rev:1;) alert tcp $HOME_NET any -> [8.156.71.108] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91512013; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 63612 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512012/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91512012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"electronics-junk.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512011/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91512011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r/bo0ebfvp/0"; depth:13; nocase; http.host; content:"paste.ee"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512010/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91512010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"i.30x.ru"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512008/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91512008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"srovuongtu.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1512009/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91512009; rev:1;) alert tcp $HOME_NET any -> [49.128.162.6] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512007/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91512007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"203.115.83.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512006/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91512006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"kashmir-maryam.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1512005/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91512005; rev:1;) alert tcp $HOME_NET any -> [18.200.246.226] 21 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512004/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91512004; rev:1;) alert tcp $HOME_NET any -> [92.255.57.36] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512003/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91512003; rev:1;) alert tcp $HOME_NET any -> [119.161.100.83] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512002/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91512002; rev:1;) alert tcp $HOME_NET any -> [206.123.152.226] 16101 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512001/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91512001; rev:1;) alert tcp $HOME_NET any -> [116.2.190.93] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1512000/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91512000; rev:1;) alert tcp $HOME_NET any -> [52.23.156.175] 16050 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511996/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91511996; rev:1;) alert tcp $HOME_NET any -> [52.23.156.175] 7050 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511997/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91511997; rev:1;) alert tcp $HOME_NET any -> [136.144.163.253] 8825 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511998/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91511998; rev:1;) alert tcp $HOME_NET any -> [52.23.156.175] 8500 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511999/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91511999; rev:1;) alert tcp $HOME_NET any -> [52.23.156.175] 7700 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511995/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91511995; rev:1;) alert tcp $HOME_NET any -> [212.237.218.41] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511992/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91511992; rev:1;) alert tcp $HOME_NET any -> [142.44.188.180] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511993/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91511993; rev:1;) alert tcp $HOME_NET any -> [92.63.100.74] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511994/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91511994; rev:1;) alert tcp $HOME_NET any -> [45.32.122.9] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511990/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91511990; rev:1;) alert tcp $HOME_NET any -> [176.97.112.32] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511991/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91511991; rev:1;) alert tcp $HOME_NET any -> [185.196.11.181] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511989/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_27; classtype:trojan-activity; sid:91511989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"surmisehotte.click"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511949/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_27; classtype:trojan-activity; sid:91511949; rev:1;) alert tcp $HOME_NET any -> [118.107.221.14] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511947/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511947; rev:1;) alert tcp $HOME_NET any -> [212.64.73.200] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511946/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_27; classtype:trojan-activity; sid:91511946; rev:1;) alert tcp $HOME_NET any -> [124.223.220.137] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511945/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"uwoodpeckersd.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511944/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuwxx"; depth:6; nocase; http.host; content:"stropiscbs.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511943/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"logced.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511939; rev:1;) alert tcp $HOME_NET any -> [8.211.157.140] 2001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511938/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511938; rev:1;) alert tcp $HOME_NET any -> [79.119.15.161] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511937/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511937; rev:1;) alert tcp $HOME_NET any -> [67.211.216.77] 5555 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511936/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511936; rev:1;) alert tcp $HOME_NET any -> [5.8.18.103] 6856 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511935/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511935; rev:1;) alert tcp $HOME_NET any -> [39.40.139.205] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511934/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511934; rev:1;) alert tcp $HOME_NET any -> [192.9.244.150] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511933/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511933; rev:1;) alert tcp $HOME_NET any -> [185.39.17.180] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511932/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511932; rev:1;) alert tcp $HOME_NET any -> [18.218.8.239] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511931/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511931; rev:1;) alert tcp $HOME_NET any -> [156.244.7.203] 8090 (msg:"ThreatFox DOPLUGS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511930; rev:1;) alert tcp $HOME_NET any -> [156.244.7.203] 443 (msg:"ThreatFox DOPLUGS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511929; rev:1;) alert tcp $HOME_NET any -> [142.171.44.245] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511928/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511928; rev:1;) alert tcp $HOME_NET any -> [120.46.194.198] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511927/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511927; rev:1;) alert tcp $HOME_NET any -> [104.37.4.100] 6002 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511924/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511924; rev:1;) alert tcp $HOME_NET any -> [104.37.4.101] 6000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511925/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511925; rev:1;) alert tcp $HOME_NET any -> [104.37.4.101] 6001 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511926/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511926; rev:1;) alert tcp $HOME_NET any -> [104.37.4.100] 6000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511923/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511923; rev:1;) alert tcp $HOME_NET any -> [38.60.203.20] 5000 (msg:"ThreatFox DOPLUGS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511922; rev:1;) alert tcp $HOME_NET any -> [20.54.80.208] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511918; rev:1;) alert tcp $HOME_NET any -> [181.206.158.190] 1000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511917; rev:1;) alert tcp $HOME_NET any -> [176.143.53.10] 81 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511916; rev:1;) alert tcp $HOME_NET any -> [43.139.57.190] 50001 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511915/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511915; rev:1;) alert tcp $HOME_NET any -> [13.251.180.166] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511914/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511914; rev:1;) alert tcp $HOME_NET any -> [5.252.155.84] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511913/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511913; rev:1;) alert tcp $HOME_NET any -> [64.227.101.209] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511912/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511912; rev:1;) alert tcp $HOME_NET any -> [163.172.125.253] 411 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511911/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511911; rev:1;) alert tcp $HOME_NET any -> [45.141.233.154] 555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511910/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511910; rev:1;) alert tcp $HOME_NET any -> [152.42.195.237] 8000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511909/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511909; rev:1;) alert tcp $HOME_NET any -> [91.231.182.140] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511908/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511908; rev:1;) alert tcp $HOME_NET any -> [120.46.217.53] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511907/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511907; rev:1;) alert tcp $HOME_NET any -> [121.40.87.143] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511906/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wizu"; depth:5; nocase; http.host; content:"flongitudde.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511905/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqow"; depth:5; nocase; http.host; content:"bhungreecoq.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511904/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511904; rev:1;) alert tcp $HOME_NET any -> [154.216.20.137] 41674 (msg:"ThreatFox I2PRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511903/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511903; rev:1;) alert tcp $HOME_NET any -> [194.26.135.10] 41674 (msg:"ThreatFox I2PRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511902/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511902; rev:1;) alert tcp $HOME_NET any -> [194.26.135.9] 41674 (msg:"ThreatFox I2PRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511901/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511901; rev:1;) alert tcp $HOME_NET any -> [31.58.58.237] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511899/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511899; rev:1;) alert tcp $HOME_NET any -> [172.86.66.7] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511897/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511897; rev:1;) alert tcp $HOME_NET any -> [34.23.216.158] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511898/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511898; rev:1;) alert tcp $HOME_NET any -> [94.156.177.241] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511895/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511895; rev:1;) alert tcp $HOME_NET any -> [91.235.234.50] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511896/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511896; rev:1;) alert tcp $HOME_NET any -> [45.192.164.239] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511894/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511894; rev:1;) alert tcp $HOME_NET any -> [60.204.152.14] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511892/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511892; rev:1;) alert tcp $HOME_NET any -> [60.204.152.14] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511893/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511893; rev:1;) alert tcp $HOME_NET any -> [118.107.221.15] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511891/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511891; rev:1;) alert tcp $HOME_NET any -> [43.153.225.68] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511890/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511890; rev:1;) alert tcp $HOME_NET any -> [101.201.76.1] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511889/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bid-nova.gl.at.ply.gg"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511886/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"superaidol-42726.portmap.io"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511887/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"typoi-53795.portmap.io"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511888/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"streamingrpots.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511885/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511885; rev:1;) alert tcp $HOME_NET any -> [13.49.223.229] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511884/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511884; rev:1;) alert tcp $HOME_NET any -> [92.255.57.35] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511883/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511883; rev:1;) alert tcp $HOME_NET any -> [110.43.68.73] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511882/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511882; rev:1;) alert tcp $HOME_NET any -> [84.46.239.89] 8443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511881/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511881; rev:1;) alert tcp $HOME_NET any -> [118.122.8.155] 12571 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511879/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511879; rev:1;) alert tcp $HOME_NET any -> [44.243.105.226] 4063 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511880/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511880; rev:1;) alert tcp $HOME_NET any -> [35.182.188.168] 10013 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511877/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511877; rev:1;) alert tcp $HOME_NET any -> [52.23.156.175] 35100 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511878/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511878; rev:1;) alert tcp $HOME_NET any -> [161.35.151.71] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511874/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511874; rev:1;) alert tcp $HOME_NET any -> [158.176.11.88] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511875/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511875; rev:1;) alert tcp $HOME_NET any -> [103.233.8.39] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511876/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511876; rev:1;) alert tcp $HOME_NET any -> [45.141.101.131] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511872/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511872; rev:1;) alert tcp $HOME_NET any -> [216.107.138.186] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511873/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511873; rev:1;) alert tcp $HOME_NET any -> [54.244.226.5] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511871/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511871; rev:1;) alert tcp $HOME_NET any -> [8.135.240.90] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511865/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511865; rev:1;) alert tcp $HOME_NET any -> [185.218.87.34] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511864/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banb"; depth:5; nocase; http.host; content:"xvigorbridgoe.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511863/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"ubiosphxere.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511862/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aeui"; depth:5; nocase; http.host; content:"mediaflowq.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511861/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.209.1.114"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511860/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"farav.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511859/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"biwiv.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511843/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511843; rev:1;) alert tcp $HOME_NET any -> [123.249.0.46] 80 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511858/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511858; rev:1;) alert tcp $HOME_NET any -> [13.244.87.214] 6006 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511855/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511855; rev:1;) alert tcp $HOME_NET any -> [3.26.144.235] 9142 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511856/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511856; rev:1;) alert tcp $HOME_NET any -> [3.26.144.235] 31242 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511857/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511857; rev:1;) alert tcp $HOME_NET any -> [94.26.90.62] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511854/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511854; rev:1;) alert tcp $HOME_NET any -> [84.247.148.249] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511853/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511853; rev:1;) alert tcp $HOME_NET any -> [80.209.243.125] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511852/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511852; rev:1;) alert tcp $HOME_NET any -> [196.251.116.152] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511851/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511851; rev:1;) alert tcp $HOME_NET any -> [206.238.196.130] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511850/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511850; rev:1;) alert tcp $HOME_NET any -> [3.127.37.193] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511849/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511849; rev:1;) alert tcp $HOME_NET any -> [115.159.92.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511848/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511848; rev:1;) alert tcp $HOME_NET any -> [39.101.171.116] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511846/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511846; rev:1;) alert tcp $HOME_NET any -> [166.88.14.137] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511847/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511847; rev:1;) alert tcp $HOME_NET any -> [66.103.199.102] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511845/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511845; rev:1;) alert tcp $HOME_NET any -> [134.3.182.224] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511844/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6a1f2b3c4d5e6f7a8b9c0d1e2f3a4b5/"; depth:33; nocase; http.host; content:"gocloudes.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511835/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b6c4d1a9f8g3h7e5n6b5a9de4f"; depth:27; nocase; http.host; content:"security.flacgaurd.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511836/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"security.flacgaurd.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511837/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress"; depth:10; nocase; http.host; content:"security.flacgaurd.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511838/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud.msi"; depth:10; nocase; http.host; content:"zemiosp.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511839/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zemiosp.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511840/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511840; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 31185 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511841/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"team-evaluating.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511842/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511842; rev:1;) alert tcp $HOME_NET any -> [107.191.48.137] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511820/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cabym.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511821/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7381501080:aaef6ov30zeozs2sgutisqhwb_z4gqtpoqu/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511825/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"becel.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511831/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.js"; depth:5; nocase; http.host; content:"smart-american.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511832/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/select.js"; depth:14; nocase; http.host; content:"haidao10.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511833/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/files/teleram.zip"; depth:22; nocase; http.host; content:"todocarritos.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511834/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511834; rev:1;) alert tcp $HOME_NET any -> [86.123.199.140] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511829/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511829; rev:1;) alert tcp $HOME_NET any -> [70.31.125.227] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511828/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511828; rev:1;) alert tcp $HOME_NET any -> [45.88.186.77] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511827/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511827; rev:1;) alert tcp $HOME_NET any -> [38.242.155.5] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511826/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511826; rev:1;) alert tcp $HOME_NET any -> [185.244.30.101] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511824/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511824; rev:1;) alert tcp $HOME_NET any -> [176.98.186.10] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511823/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511823; rev:1;) alert tcp $HOME_NET any -> [172.94.53.162] 1361 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511822/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511822; rev:1;) alert tcp $HOME_NET any -> [3.107.166.83] 55174 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511819/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511819; rev:1;) alert tcp $HOME_NET any -> [54.165.221.106] 10859 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511818/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511818; rev:1;) alert tcp $HOME_NET any -> [45.164.125.139] 7171 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511817/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511817; rev:1;) alert tcp $HOME_NET any -> [3.0.125.83] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511815/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.socalmediazone.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511816/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511816; rev:1;) alert tcp $HOME_NET any -> [196.251.116.152] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511813/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511813; rev:1;) alert tcp $HOME_NET any -> [196.251.116.152] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511814/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511814; rev:1;) alert tcp $HOME_NET any -> [47.111.117.97] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511812/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511812; rev:1;) alert tcp $HOME_NET any -> [111.229.121.53] 57878 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511811/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511811; rev:1;) alert tcp $HOME_NET any -> [47.122.122.68] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511808/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511808; rev:1;) alert tcp $HOME_NET any -> [47.122.122.68] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511809/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511809; rev:1;) alert tcp $HOME_NET any -> [47.108.158.237] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511810/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511810; rev:1;) alert tcp $HOME_NET any -> [81.69.249.141] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511807/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511807; rev:1;) alert tcp $HOME_NET any -> [38.207.176.43] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511806/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511806; rev:1;) alert tcp $HOME_NET any -> [38.181.44.107] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511805/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511805; rev:1;) alert tcp $HOME_NET any -> [3.101.191.16] 3636 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511784/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511784; rev:1;) alert tcp $HOME_NET any -> [128.140.102.15] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511785/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511785; rev:1;) alert tcp $HOME_NET any -> [35.84.54.233] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511786/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511786; rev:1;) alert tcp $HOME_NET any -> [13.60.48.25] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511787/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511787; rev:1;) alert tcp $HOME_NET any -> [13.238.144.187] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511788/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511788; rev:1;) alert tcp $HOME_NET any -> [41.175.29.98] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511789/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511789; rev:1;) alert tcp $HOME_NET any -> [173.224.122.193] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511790/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511790; rev:1;) alert tcp $HOME_NET any -> [3.253.128.155] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511791/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511791; rev:1;) alert tcp $HOME_NET any -> [43.138.181.97] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511783/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511783; rev:1;) alert tcp $HOME_NET any -> [20.197.44.216] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511782/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511782; rev:1;) alert tcp $HOME_NET any -> [43.202.161.12] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511779/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511779; rev:1;) alert tcp $HOME_NET any -> [134.122.22.5] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511780/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511780; rev:1;) alert tcp $HOME_NET any -> [35.157.26.81] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511781/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511781; rev:1;) alert tcp $HOME_NET any -> [44.201.173.193] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511777/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511777; rev:1;) alert tcp $HOME_NET any -> [150.109.117.131] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511778/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511778; rev:1;) alert tcp $HOME_NET any -> [34.247.190.66] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511775/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511775; rev:1;) alert tcp $HOME_NET any -> [43.202.120.54] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511776/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511776; rev:1;) alert tcp $HOME_NET any -> [140.143.159.70] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511773/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511773; rev:1;) alert tcp $HOME_NET any -> [51.75.22.182] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511774/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511774; rev:1;) alert tcp $HOME_NET any -> [43.202.136.28] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511771/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511771; rev:1;) alert tcp $HOME_NET any -> [3.148.62.248] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511772/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511772; rev:1;) alert tcp $HOME_NET any -> [34.40.34.80] 4141 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511770/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511770; rev:1;) alert tcp $HOME_NET any -> [83.3.213.194] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511769/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511769; rev:1;) alert tcp $HOME_NET any -> [172.174.202.217] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511767/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511767; rev:1;) alert tcp $HOME_NET any -> [8.152.194.88] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511768/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511768; rev:1;) alert tcp $HOME_NET any -> [134.122.184.32] 5671 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511764/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511764; rev:1;) alert tcp $HOME_NET any -> [111.229.202.130] 8933 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511766/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511766; rev:1;) alert tcp $HOME_NET any -> [134.122.184.23] 5671 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511763/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511763; rev:1;) alert tcp $HOME_NET any -> [196.251.116.152] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511762/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511762; rev:1;) alert tcp $HOME_NET any -> [192.159.99.119] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511761/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511761; rev:1;) alert tcp $HOME_NET any -> [36.134.33.170] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511760/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511760; rev:1;) alert tcp $HOME_NET any -> [113.45.225.150] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511759/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shequw.huixueweng.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511758/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.komijon.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511757/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloudflare.msi"; depth:15; nocase; http.host; content:"www.komijon.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511756/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloudflare.msi"; depth:15; nocase; http.host; content:"komijon.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511743/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"security.cloflardg.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511741/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress"; depth:10; nocase; http.host; content:"security.cloflardg.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511742/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b6c4d1a9f8g3h7e5n6b5a9de4f"; depth:27; nocase; http.host; content:"security.cloflardg.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511740/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"defii-larna.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511704/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"trust.wallet-web3.ing"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511702/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"coinomi.ing"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511703/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"en-trezor.io"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511700/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"atumicwallet.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511701/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"manta-network-v2.us"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511698/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tronilnk.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511699/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloudflare.msi"; depth:15; nocase; http.host; content:"core.coligeme.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511696/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"core.coligeme.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511697/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 80%)"; dns_query; content:"updateyoubrousergoogle.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511677/; target:src_ip; metadata: confidence_level 80, first_seen 2025_04_26; classtype:trojan-activity; sid:91511677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 80%)"; dns_query; content:"arbitrag38.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511678/; target:src_ip; metadata: confidence_level 80, first_seen 2025_04_26; classtype:trojan-activity; sid:91511678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 80%)"; dns_query; content:"update.clcc.cl"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511676/; target:src_ip; metadata: confidence_level 80, first_seen 2025_04_26; classtype:trojan-activity; sid:91511676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 80%)"; dns_query; content:"klintaps.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511674/; target:src_ip; metadata: confidence_level 80, first_seen 2025_04_26; classtype:trojan-activity; sid:91511674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 80%)"; dns_query; content:"jadhaoagroinds.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511675/; target:src_ip; metadata: confidence_level 80, first_seen 2025_04_26; classtype:trojan-activity; sid:91511675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 80%)"; dns_query; content:"rdixit.github.io"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511673/; target:src_ip; metadata: confidence_level 80, first_seen 2025_04_26; classtype:trojan-activity; sid:91511673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 80%)"; dns_query; content:"chromeinstall.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511672/; target:src_ip; metadata: confidence_level 80, first_seen 2025_04_26; classtype:trojan-activity; sid:91511672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/sss.php"; depth:12; nocase; http.host; content:"todocarritos.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511670/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/select.js"; depth:14; nocase; http.host; content:"todocarritos.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"todocarritos.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511668/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/good.js"; depth:12; nocase; http.host; content:"todocarritos.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511667/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"haidao10.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d.js"; depth:5; nocase; http.host; content:"islonline.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511705/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/select.js"; depth:14; nocase; http.host; content:"erectilehelp.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511706/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"erectilehelp.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511707/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/sss.php"; depth:12; nocase; http.host; content:"erectilehelp.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511708/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h1.unalteredaccuracy.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511724/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"transdataa.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511725/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xwpa"; depth:5; nocase; http.host; content:"transdataa.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511726/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"komijon.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511744/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qeqek.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511745/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/good.js"; depth:12; nocase; http.host; content:"haidao10.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511660/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/index.php"; depth:14; nocase; http.host; content:"haidao10.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511661/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/sss.php"; depth:12; nocase; http.host; content:"haidao10.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511662/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/files/proxy.zip"; depth:20; nocase; http.host; content:"todocarritos.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.coligeme.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511665/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloudflare.msi"; depth:15; nocase; http.host; content:"www.coligeme.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511664; rev:1;) alert tcp $HOME_NET any -> [194.87.209.28] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511658/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"matur.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511659; rev:1;) alert tcp $HOME_NET any -> [185.39.19.20] 429 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511657/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"ronthom.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511502/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ronthom.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511501/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2y5t.js"; depth:8; nocase; http.host; content:"ronthom.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511500/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sticker-88l.pages.dev"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511499/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"netnet.lol"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511498/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511498; rev:1;) alert tcp $HOME_NET any -> [146.19.143.149] 515 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511496/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tugrambling.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511482/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"boxingcasualty.shop"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511483/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"yeaio.shop"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511484/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dentistdomestic.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511485/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"wildlifeautograph.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511486/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aoaee.shop"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511487/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eurowatchw.run"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511479/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eurastratse.live"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511480/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hindecoo.live"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511478/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"greeconoimy.run"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511477/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"geoecony.live"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511476/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"teklits.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511804/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"zfbezhefbzhbdfbzdufbuzbdf.pages.dev"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511802/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"zoomnews.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511803/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"80.78.28.147"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511801/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511801; rev:1;) alert tcp $HOME_NET any -> [154.22.5.87] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511800/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511800; rev:1;) alert tcp $HOME_NET any -> [165.22.212.253] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511799/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511799; rev:1;) alert tcp $HOME_NET any -> [172.232.27.20] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511798/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511798; rev:1;) alert tcp $HOME_NET any -> [52.23.156.175] 50100 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511794/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511794; rev:1;) alert tcp $HOME_NET any -> [52.23.156.175] 55200 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511795/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511795; rev:1;) alert tcp $HOME_NET any -> [52.23.156.175] 14900 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511796/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511796; rev:1;) alert tcp $HOME_NET any -> [18.212.89.240] 15 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511797/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511797; rev:1;) alert tcp $HOME_NET any -> [221.234.131.137] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511792/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511792; rev:1;) alert tcp $HOME_NET any -> [104.168.96.138] 16001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511793/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511793; rev:1;) alert tcp $HOME_NET any -> [129.211.28.117] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511765/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlak"; depth:5; nocase; http.host; content:"otopographky.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511755/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ixau"; depth:5; nocase; http.host; content:"mcartograhphy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511754/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"1biosphxere.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511753/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"45.230.66.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511752/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_26; classtype:trojan-activity; sid:91511752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"vclimatologfy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511749/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"pbiosphxere.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511748/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ixau"; depth:5; nocase; http.host; content:"ncartograhphy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511747/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"fgeographys.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511746/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_26; classtype:trojan-activity; sid:91511746; rev:1;) alert tcp $HOME_NET any -> [185.241.208.161] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511739/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511739; rev:1;) alert tcp $HOME_NET any -> [13.246.3.184] 2403 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511738/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511738; rev:1;) alert tcp $HOME_NET any -> [3.84.178.184] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511737/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511737; rev:1;) alert tcp $HOME_NET any -> [152.42.138.246] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511735/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511735; rev:1;) alert tcp $HOME_NET any -> [185.241.208.161] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511736/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511736; rev:1;) alert tcp $HOME_NET any -> [54.184.31.128] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511734/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511734; rev:1;) alert tcp $HOME_NET any -> [38.146.27.84] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511732/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511732; rev:1;) alert tcp $HOME_NET any -> [198.23.227.140] 8801 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511733/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511733; rev:1;) alert tcp $HOME_NET any -> [156.244.7.187] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511731/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511731; rev:1;) alert tcp $HOME_NET any -> [157.230.42.240] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511730/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511730; rev:1;) alert tcp $HOME_NET any -> [47.86.100.87] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511729/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_26; classtype:trojan-activity; sid:91511729; rev:1;) alert tcp $HOME_NET any -> [8.148.20.113] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511728/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511728; rev:1;) alert tcp $HOME_NET any -> [193.176.22.172] 1414 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511727/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511727; rev:1;) alert tcp $HOME_NET any -> [92.116.91.140] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511723/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511723; rev:1;) alert tcp $HOME_NET any -> [189.146.233.179] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511722/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/ws3434"; depth:11; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511721/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"physical-loving.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511720/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511720; rev:1;) alert tcp $HOME_NET any -> [176.10.107.180] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511717/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511717; rev:1;) alert tcp $HOME_NET any -> [176.10.107.180] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511718/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511718; rev:1;) alert tcp $HOME_NET any -> [176.10.107.180] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511719/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gvhiz06dl.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511715/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"taoh081018.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511716/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/supershell/login"; depth:34; nocase; http.host; content:"43.143.246.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511714/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"vvs.cymru"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511713/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511713; rev:1;) alert tcp $HOME_NET any -> [102.158.74.149] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511712/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511712; rev:1;) alert tcp $HOME_NET any -> [196.251.84.145] 8089 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511711/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511711; rev:1;) alert tcp $HOME_NET any -> [178.128.84.59] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511710/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511710; rev:1;) alert tcp $HOME_NET any -> [3.216.87.117] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511709/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511709; rev:1;) alert tcp $HOME_NET any -> [82.180.162.193] 8080 (msg:"ThreatFox Chaos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511695/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.thecrabsterchief.work"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511694/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511694; rev:1;) alert tcp $HOME_NET any -> [18.231.183.14] 4839 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511693/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511693; rev:1;) alert tcp $HOME_NET any -> [45.141.233.166] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511692/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511692; rev:1;) alert tcp $HOME_NET any -> [188.25.21.87] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511691/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511691; rev:1;) alert tcp $HOME_NET any -> [95.169.180.96] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511689; rev:1;) alert tcp $HOME_NET any -> [38.134.148.106] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511690; rev:1;) alert tcp $HOME_NET any -> [139.99.25.131] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511688; rev:1;) alert tcp $HOME_NET any -> [71.191.212.43] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511687; rev:1;) alert tcp $HOME_NET any -> [157.66.26.88] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511686; rev:1;) alert tcp $HOME_NET any -> [103.195.102.3] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511685; rev:1;) alert tcp $HOME_NET any -> [111.119.255.45] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511684; rev:1;) alert tcp $HOME_NET any -> [166.108.206.56] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511683; rev:1;) alert tcp $HOME_NET any -> [173.211.70.87] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511682; rev:1;) alert tcp $HOME_NET any -> [173.211.70.87] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511681; rev:1;) alert tcp $HOME_NET any -> [59.110.233.152] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511680; rev:1;) alert tcp $HOME_NET any -> [38.181.44.107] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511679/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511679; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 60338 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511656/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"payment-lunch.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511654/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"units-dispute.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511655/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/6rkzrwrv"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511653/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"wealthyblessedman.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511652/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"allblessingcometome.freemyip.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511646/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"globalmail.dynuddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511647/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"janbours92harbubreakthroughs.loseyourip.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511648/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mailhost.mysynology.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511649/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"postmasterrelayserver.duckdns.org"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511650/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"wealthyblessedma01n.duckdns.org"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511651/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rse.pwirn.cc"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511645/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ploots.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511628/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ptiorder.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511629/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.qx4ie.sbs"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511630/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ravella.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511631/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.riginorder.shop"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511632/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rintsforu.shop"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511633/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.roxyduwanjuan.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511634/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.sqwe.pet"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511635/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.tbbwd.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511636/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.twanguffo.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511637/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.uikjobs.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511638/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.unfunbigbgames.pics"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511639/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.wandafilmfestival.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511640/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.wqrqj.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511641/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ykkg.pet"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511642/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ysp9.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511643/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.zjylsp22.sbs"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511644/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ogicloop.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511622/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.okuousekizai.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511623/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ooty.city"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511624/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.orgevision147.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511625/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ork-abroad-36556.bond"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511626/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ospital-care-us-bl-36561.click"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511627/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ithsugar.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511612/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.jdc6.one"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511613/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.klinic.cfd"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511614/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.liza.locker"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511615/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.mrnm.bingo"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511616/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.nonymix.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511617/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.obisumo.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511618/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.od-mine.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511619/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.odestapparel.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511620/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ofas-cave-379.world"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511621/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ealingcarecounseling.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511592/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ealthsewa.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511593/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ellbuyon.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511594/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.emka.live"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511595/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.en-health-37595.bond"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511596/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.enteku.click"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511597/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.epayne.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511598/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.erenitypool-spa.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511599/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.esilientplaybook.online"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511600/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.et-together.vip"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511601/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.etafury.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511602/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.etiantang9673.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511603/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.extenglishinstitute.online"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511604/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.g9r430o6al1l.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511605/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.gkjkeiwbzou8pf.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511606/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.gnouqk3mq.shop"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511607/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.h10y.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511608/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.heworkshop.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511609/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.hinaai.club"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511610/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.iqaqua.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511611/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.1ewqdas456yhytredvb.autos"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511580/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.3tcart.cyou"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511581/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.5x1r2p5bg86q.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511582/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.7558a5.vip"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511583/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.9bet.bar"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511584/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.acaushowdesafios.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511585/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.amir7.sbs"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511586/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.anglove.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511587/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.arinsurancehints.xyz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511588/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.bscript.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511589/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.bvexil.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511590/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.dsignageaustralia.online"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511591/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.zjylsp22.sbs"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511579/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.roxyduwanjuan.info"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511569/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.sqwe.pet"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511570/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.tbbwd.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511571/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.twanguffo.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511572/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.uikjobs.biz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511573/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.unfunbigbgames.pics"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511574/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.wandafilmfestival.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511575/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.wqrqj.info"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511576/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.ykkg.pet"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511577/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.ysp9.info"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511578/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.ooty.city"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511559/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.orgevision147.info"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511560/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.ork-abroad-36556.bond"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511561/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.ospital-care-us-bl-36561.click"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511562/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.ploots.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511563/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.ptiorder.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511564/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.qx4ie.sbs"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511565/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.ravella.biz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511566/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.riginorder.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511567/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.rintsforu.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511568/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.liza.locker"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511550/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.mrnm.bingo"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511551/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.nonymix.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511552/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.obisumo.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511553/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.od-mine.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511554/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.odestapparel.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511555/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.ofas-cave-379.world"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511556/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.ogicloop.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511557/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.okuousekizai.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511558/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.g9r430o6al1l.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511540/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.gkjkeiwbzou8pf.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511541/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.gnouqk3mq.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511542/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.h10y.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511543/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.heworkshop.biz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511544/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.hinaai.club"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511545/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.iqaqua.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511546/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.ithsugar.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511547/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.jdc6.one"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511548/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.klinic.cfd"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511549/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.enteku.click"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511532/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.epayne.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511533/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.erenitypool-spa.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511534/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.esilientplaybook.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511535/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.et-together.vip"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511536/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.etafury.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511537/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.etiantang9673.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511538/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.extenglishinstitute.online"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511539/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.anglove.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511522/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.arinsurancehints.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511523/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.bscript.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511524/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.bvexil.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511525/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.dsignageaustralia.online"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511526/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.ealingcarecounseling.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511527/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.ealthsewa.online"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511528/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.ellbuyon.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511529/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.emka.live"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511530/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.en-health-37595.bond"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511531/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.1ewqdas456yhytredvb.autos"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511515/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.3tcart.cyou"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511516/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.5x1r2p5bg86q.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511517/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.7558a5.vip"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511518/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.9bet.bar"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511519/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.acaushowdesafios.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511520/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fs24/"; depth:6; nocase; http.host; content:"www.amir7.sbs"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511521/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"139.99.25.131"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511514/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511514; rev:1;) alert tcp $HOME_NET any -> [45.201.216.188] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511513/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511513; rev:1;) alert tcp $HOME_NET any -> [45.148.11.14] 3541 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511511/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511511; rev:1;) alert tcp $HOME_NET any -> [3.145.178.55] 13 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511512/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511512; rev:1;) alert tcp $HOME_NET any -> [144.172.97.2] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511509/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511509; rev:1;) alert tcp $HOME_NET any -> [104.238.162.122] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511510/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511510; rev:1;) alert tcp $HOME_NET any -> [157.90.192.89] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511506/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511506; rev:1;) alert tcp $HOME_NET any -> [82.117.242.178] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511507/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511507; rev:1;) alert tcp $HOME_NET any -> [91.199.163.74] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511508/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511508; rev:1;) alert tcp $HOME_NET any -> [82.147.88.84] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511503/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511503; rev:1;) alert tcp $HOME_NET any -> [92.255.57.75] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511504/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511504; rev:1;) alert tcp $HOME_NET any -> [45.141.84.208] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511505/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511505; rev:1;) alert tcp $HOME_NET any -> [176.65.148.219] 3128 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511495/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511495; rev:1;) alert tcp $HOME_NET any -> [146.19.143.149] 1338 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511494/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511494; rev:1;) alert tcp $HOME_NET any -> [89.168.81.122] 443 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511492/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlak"; depth:5; nocase; http.host; content:"ttopographky.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511475/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"lgeographys.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511474/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"egeographys.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511473/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlak"; depth:5; nocase; http.host; content:"btopographky.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511472/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuwxx"; depth:6; nocase; http.host; content:"atropiscbs.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511471/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ixau"; depth:5; nocase; http.host; content:"1cartograhphy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511470/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tpeo"; depth:5; nocase; http.host; content:"quonecony.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511469/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsooz"; depth:6; nocase; http.host; content:"k2salaccgfa.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511468/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"8starofliught.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511467/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"habyg.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511449/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kenut.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511455/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloudflare.msi"; depth:15; nocase; http.host; content:"coligeme.info"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511465/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coligeme.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511466/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511466; rev:1;) alert tcp $HOME_NET any -> [62.60.226.89] 19000 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511464/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511464; rev:1;) alert tcp $HOME_NET any -> [146.59.161.204] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511463/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511463; rev:1;) alert tcp $HOME_NET any -> [194.164.93.107] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511461/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511461; rev:1;) alert tcp $HOME_NET any -> [20.190.118.69] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511462/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bouldercountymedicarehelp.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511460/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511460; rev:1;) alert tcp $HOME_NET any -> [103.134.22.156] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511459/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511459; rev:1;) alert tcp $HOME_NET any -> [158.247.192.174] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511458/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511458; rev:1;) alert tcp $HOME_NET any -> [206.123.152.100] 46167 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511457/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511457; rev:1;) alert tcp $HOME_NET any -> [45.159.209.179] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511456/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/ywwcu7xx"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511454/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/robots.txt"; depth:11; nocase; http.host; content:"cloudflareapage.pages.dev"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511453/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/su8kud7i/login.php"; depth:19; nocase; http.host; content:"185.39.17.163"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511452/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511452; rev:1;) alert tcp $HOME_NET any -> [8.130.119.171] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511451/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511451; rev:1;) alert tcp $HOME_NET any -> [107.189.26.70] 49 (msg:"ThreatFox Crimson RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511450/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511450; rev:1;) alert tcp $HOME_NET any -> [185.147.124.103] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511447/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511447; rev:1;) alert tcp $HOME_NET any -> [45.141.84.60] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511448/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511448; rev:1;) alert tcp $HOME_NET any -> [185.125.50.140] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511443/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511443; rev:1;) alert tcp $HOME_NET any -> [185.157.214.192] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511444/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511444; rev:1;) alert tcp $HOME_NET any -> [77.239.117.135] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511445/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511445; rev:1;) alert tcp $HOME_NET any -> [193.201.9.252] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511446/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511446; rev:1;) alert tcp $HOME_NET any -> [45.118.248.29] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511440/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511440; rev:1;) alert tcp $HOME_NET any -> [80.209.243.125] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511441/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511441; rev:1;) alert tcp $HOME_NET any -> [5.230.54.243] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511442/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511442; rev:1;) alert tcp $HOME_NET any -> [92.255.57.31] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511438/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511438; rev:1;) alert tcp $HOME_NET any -> [194.246.83.10] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511439/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511439; rev:1;) alert tcp $HOME_NET any -> [123.57.239.178] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511437/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511437; rev:1;) alert tcp $HOME_NET any -> [8.148.224.96] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511436/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloudflare.msi"; depth:15; nocase; http.host; content:"coligeme.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511420/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4r2h.js"; depth:8; nocase; http.host; content:"vickmarine.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"machinehiub.digital"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511422/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"techformb.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511423/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lifecubeq.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511424/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"technomindc.digital"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511425/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quicktecho.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511426/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hackergala.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511427/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"datacubei.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511428/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"appstreawm.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511429/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"innovtechg.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511430/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pixelcodey.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511431/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"coderspartk.digital"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511432/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dsystemx.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511433/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"digilayerx.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511434/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smartbitsx.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511435/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lizyf.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"88.214.50.3"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511415/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511415; rev:1;) alert tcp $HOME_NET any -> [31.9.48.183] 5555 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511419/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lianxinxiao.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511418/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511418; rev:1;) alert tcp $HOME_NET any -> [3.112.192.119] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511411/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"files.fnomworldwide.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b6c4d1a9f8g3h7e5n6b5a9de4f"; depth:27; nocase; http.host; content:"security.guarbcfelare.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511404/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"security.guarbcfelare.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511405/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress"; depth:10; nocase; http.host; content:"security.guarbcfelare.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511406/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloudflare.msi"; depth:15; nocase; http.host; content:"www.coligeme.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511407/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.coligeme.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511408/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"muhoj.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511256/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sylaj.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511402/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511402; rev:1;) alert tcp $HOME_NET any -> [123.207.79.51] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511403/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511403; rev:1;) alert tcp $HOME_NET any -> [209.145.56.66] 8443 (msg:"ThreatFox Crimson RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511401; rev:1;) alert tcp $HOME_NET any -> [93.198.191.241] 82 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511400; rev:1;) alert tcp $HOME_NET any -> [156.208.38.51] 4445 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511399; rev:1;) alert tcp $HOME_NET any -> [77.83.198.61] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511398; rev:1;) alert tcp $HOME_NET any -> [139.99.25.131] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip131.ip-139-99-25.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511395; rev:1;) alert tcp $HOME_NET any -> [139.99.25.131] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511396; rev:1;) alert tcp $HOME_NET any -> [144.172.87.71] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511394; rev:1;) alert tcp $HOME_NET any -> [104.37.4.101] 6002 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511393; rev:1;) alert tcp $HOME_NET any -> [47.109.177.97] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511392; rev:1;) alert tcp $HOME_NET any -> [194.102.104.25] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511390; rev:1;) alert tcp $HOME_NET any -> [149.104.30.130] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511391; rev:1;) alert tcp $HOME_NET any -> [116.198.229.197] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511389/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.upport-meta2903.online"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511382/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.uv3kq5tvbkys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511383/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.vertdzb.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511384/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.winx6.casino"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511385/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.x39q.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511386/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.zev.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511387/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.zw5m.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511388/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ogparks.club"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511366/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.omiq.tech"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511367/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.orchers.world"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511368/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.orkshopaicollaborationhub.xyz"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511369/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ovaecho.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511370/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.palmsrd.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511371/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.reta99.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511372/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rishticodiegfortysix.online"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511373/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ritishpanel.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511374/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rostygust.shop"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511375/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.slarose.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511376/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ssiduousate.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511377/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.tn67n.cfd"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511378/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.uangjiahao.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511379/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.uper-bowl-kickoff-time.cfd"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511380/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.uponbs3.pro"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511381/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ires-72090.bond"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511351/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ixmy.beauty"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511352/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.khsim.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511353/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ksp679.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511354/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.lanajoyeria.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511355/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.layplus77.vip"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511356/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.levateballoonco.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511357/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.lobaltravelbookings.xyz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511358/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.mail-marketing-job-62763.bond"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511359/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.marcato.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511360/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ndimadeahome.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511361/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.nnotechbs.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511362/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.odeatoll.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511363/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.odzat.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511364/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.oftfusion.shop"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511365/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.atizenairdrop.bet"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511339/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.audace.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511340/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.avino.website"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511341/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.bcw1219.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511342/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ellwish.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511343/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ethil.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511344/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.fp8ch.cfd"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511345/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.hieh33.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511346/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ideoxxfree.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511347/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.igaborgz.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511348/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ightmareroad.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511349/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.inancialfreedomclub.xyz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511350/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.4260686.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511326/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.488ns.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511327/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.8ekcmt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511328/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.8j3tfb2djzoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511329/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.9o8yd.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511330/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.alisisi.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511331/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.andygirls.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511332/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.arisasuestalvey.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511333/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.arka.group"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511334/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.aser-eye-surgery-3291.bond"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511335/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ash-paying-jobs-79621.bond"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511336/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.asinocruiseclub.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511337/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.astertechhub.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511338/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.1198.pet"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511324/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.4260621.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511325/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.zw5m.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511323/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.uponbs3.pro"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511316/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.upport-meta2903.online"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511317/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.uv3kq5tvbkys.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511318/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.vertdzb.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511319/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.winx6.casino"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511320/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.x39q.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511321/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.zev.net"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511322/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.reta99.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511307/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.rishticodiegfortysix.online"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511308/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.ritishpanel.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511309/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.rostygust.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511310/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.slarose.online"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511311/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.ssiduousate.online"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511312/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.tn67n.cfd"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511313/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.uangjiahao.online"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511314/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.uper-bowl-kickoff-time.cfd"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511315/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.oftfusion.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511300/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.ogparks.club"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511301/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.omiq.tech"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511302/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.orchers.world"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511303/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.orkshopaicollaborationhub.xyz"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511304/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.ovaecho.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511305/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.palmsrd.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511306/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.levateballoonco.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511292/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.lobaltravelbookings.xyz"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511293/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.mail-marketing-job-62763.bond"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511294/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.marcato.online"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511295/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.ndimadeahome.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511296/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.nnotechbs.online"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511297/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.odeatoll.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511298/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.odzat.info"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511299/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.ightmareroad.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511284/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.inancialfreedomclub.xyz"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511285/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.ires-72090.bond"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511286/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.ixmy.beauty"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511287/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.khsim.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511288/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.ksp679.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511289/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.lanajoyeria.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511290/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.layplus77.vip"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511291/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.bcw1219.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511277/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.ellwish.online"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511278/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.ethil.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511279/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.fp8ch.cfd"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511280/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.hieh33.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511281/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.ideoxxfree.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511282/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.igaborgz.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511283/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.ash-paying-jobs-79621.bond"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511271/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.asinocruiseclub.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511272/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.astertechhub.info"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511273/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.atizenairdrop.bet"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511274/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.audace.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511275/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.avino.website"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511276/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.8j3tfb2djzoo.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511264/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.9o8yd.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511265/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.alisisi.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511266/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.andygirls.biz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511267/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.arisasuestalvey.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511268/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.arka.group"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511269/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.aser-eye-surgery-3291.bond"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511270/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.1198.pet"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511259/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.4260621.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511260/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.4260686.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511261/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.488ns.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511262/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an20/"; depth:6; nocase; http.host; content:"www.8ekcmt.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511263/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511263; rev:1;) alert tcp $HOME_NET any -> [149.210.66.4] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511258/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511258; rev:1;) alert tcp $HOME_NET any -> [45.114.60.209] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511257/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wizu"; depth:5; nocase; http.host; content:"vlongitudde.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511255/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloudflare.msi"; depth:15; nocase; http.host; content:"core.keloimnau.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511252/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"core.keloimnau.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511253/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511253; rev:1;) alert tcp $HOME_NET any -> [196.251.86.114] 5050 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511254/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511254; rev:1;) alert tcp $HOME_NET any -> [172.111.163.162] 2983 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511251/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maxbusinessclub.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511250/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511250; rev:1;) alert tcp $HOME_NET any -> [89.185.84.127] 443 (msg:"ThreatFox MetaStealer botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511249/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"qfybiosphxere.digital"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511248/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"eclimatologfy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511247/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"bclimatologfy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511246/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/incongruousness.php"; depth:20; nocase; http.host; content:"79.124.78.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511245/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"lbiosphxere.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511244/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"ciwoodpeckersd.run"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511243/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banb"; depth:5; nocase; http.host; content:"avigorbridgoe.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511242/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511242; rev:1;) alert tcp $HOME_NET any -> [117.24.3.176] 4506 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511241/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511241; rev:1;) alert tcp $HOME_NET any -> [1.161.124.86] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511240/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"ywoodpeckersd.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511239/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"ufclimatologfy.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511238/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ixau"; depth:5; nocase; http.host; content:"3cartograhphy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511237/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"cdn.optitc.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511234/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"signature908.golf"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511235/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"corner427.space"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511236/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aardvarkw.live"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511233/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"eshopper.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511228/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"mvhelp.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511229/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"helpset123.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511230/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"300005.ru"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511231/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"desktool.buzz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511232/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511232; rev:1;) alert tcp $HOME_NET any -> [154.81.179.131] 9645 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511227/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511227; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 29924 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511225/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511225; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 58573 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511226/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zdwdwadzdwa-51598.portmap.io"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511222/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"centre-shake.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511223/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"reo.gl.at.ply.gg"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511224/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/4jmdmm15"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511219/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/rnbkqg1e"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511220/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/s21lhj8e"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511221/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"know-knock-who-is-here.pages.dev"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"security-a2k8-go.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rugyg.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloudflare.msi"; depth:15; nocase; http.host; content:"www.keloimnau.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511169; rev:1;) alert tcp $HOME_NET any -> [194.87.232.26] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511190; rev:1;) alert tcp $HOME_NET any -> [62.60.226.139] 30303 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511216/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511216; rev:1;) alert tcp $HOME_NET any -> [62.60.226.139] 30304 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511217/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511217; rev:1;) alert tcp $HOME_NET any -> [62.60.226.139] 30305 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511218/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"obinwannedimna.ydns.eu"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511214/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rem25rem.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511215/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511215; rev:1;) alert tcp $HOME_NET any -> [80.64.16.35] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511213/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"friends-virginia.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511209/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"games-travel.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511210/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"scriptdagoat-42745.portmap.io"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511211/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tobixhere-32449.portmap.io"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511212/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511212; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 54782 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511208/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"a-ended.gl.at.ply.gg"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511207/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"hacking01.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511206/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"fiushion.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511204/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"huyxingum.mikustore.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511205/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"donaldcity.club"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511202/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nevernews.club"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511203/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511203; rev:1;) alert tcp $HOME_NET any -> [114.66.58.133] 8995 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511201/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"chaintraderx.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511200/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verify/"; depth:8; nocase; http.host; content:"we-will.servegame.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511199/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m0xmdru/login.php"; depth:18; nocase; http.host; content:"185.147.124.116"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511198/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c60d76a15a1d4de5.php"; depth:21; nocase; http.host; content:"147.45.44.116"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511197/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511197; rev:1;) alert tcp $HOME_NET any -> [177.234.144.240] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511196/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511196; rev:1;) alert tcp $HOME_NET any -> [54.70.105.247] 11065 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511195/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511195; rev:1;) alert tcp $HOME_NET any -> [13.232.77.18] 427 (msg:"ThreatFox BlackShades botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511194/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511194; rev:1;) alert tcp $HOME_NET any -> [105.197.154.83] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511193/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511193; rev:1;) alert tcp $HOME_NET any -> [196.251.84.27] 443 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511192/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511192; rev:1;) alert tcp $HOME_NET any -> [95.182.122.252] 80 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511191/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511191; rev:1;) alert tcp $HOME_NET any -> [60.17.15.218] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511189/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511189; rev:1;) alert tcp $HOME_NET any -> [158.247.247.157] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511187/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511187; rev:1;) alert tcp $HOME_NET any -> [158.247.243.223] 443 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511188/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511188; rev:1;) alert tcp $HOME_NET any -> [177.136.225.145] 9443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511185/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511185; rev:1;) alert tcp $HOME_NET any -> [23.254.215.118] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511186/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511186; rev:1;) alert tcp $HOME_NET any -> [3.26.24.29] 14082 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511184/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511184; rev:1;) alert tcp $HOME_NET any -> [3.91.49.221] 15 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511183/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511183; rev:1;) alert tcp $HOME_NET any -> [157.20.182.6] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511181/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511181; rev:1;) alert tcp $HOME_NET any -> [172.111.139.42] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511182/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511182; rev:1;) alert tcp $HOME_NET any -> [84.247.148.249] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511180/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511180; rev:1;) alert tcp $HOME_NET any -> [43.163.196.208] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511178/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511178; rev:1;) alert tcp $HOME_NET any -> [139.84.172.231] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511179/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511179; rev:1;) alert tcp $HOME_NET any -> [119.91.49.133] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511177/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511177; rev:1;) alert tcp $HOME_NET any -> [119.45.178.251] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511176/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511176; rev:1;) alert tcp $HOME_NET any -> [185.243.96.104] 5556 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511173/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511173; rev:1;) alert tcp $HOME_NET any -> [207.2.122.10] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511174/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511174; rev:1;) alert tcp $HOME_NET any -> [18.159.210.194] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511175/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511175; rev:1;) alert tcp $HOME_NET any -> [185.43.4.70] 8005 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511171/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511171; rev:1;) alert tcp $HOME_NET any -> [160.19.79.251] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511172/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"u1.pridefulamaretto.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511170; rev:1;) alert tcp $HOME_NET any -> [3.96.191.215] 2761 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511168; rev:1;) alert tcp $HOME_NET any -> [18.185.33.50] 4841 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511167; rev:1;) alert tcp $HOME_NET any -> [86.54.42.245] 591 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511166; rev:1;) alert tcp $HOME_NET any -> [45.61.151.127] 2096 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511165; rev:1;) alert tcp $HOME_NET any -> [49.113.75.76] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511163; rev:1;) alert tcp $HOME_NET any -> [16.162.136.113] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511164; rev:1;) alert tcp $HOME_NET any -> [57.128.219.114] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511162; rev:1;) alert tcp $HOME_NET any -> [147.93.146.25] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511161; rev:1;) alert tcp $HOME_NET any -> [104.37.4.100] 6001 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511160; rev:1;) alert tcp $HOME_NET any -> [47.109.82.220] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511159; rev:1;) alert tcp $HOME_NET any -> [194.36.171.78] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511158; rev:1;) alert tcp $HOME_NET any -> [49.232.56.252] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloudflare.msi"; depth:15; nocase; http.host; content:"core.keloimnau.info"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"core.keloimnau.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoxo"; depth:5; nocase; http.host; content:"xclarmodq.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511149/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"ybiosphxere.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511150/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teui"; depth:5; nocase; http.host; content:"slatitudert.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511148/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reiq"; depth:5; nocase; http.host; content:"nequatorf.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511147/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"hnwoodpeckersd.run"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511146/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xapp"; depth:5; nocase; http.host; content:"ahemispherexz.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511145/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"8biosphxere.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511144/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlak"; depth:5; nocase; http.host; content:"0topographky.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511143/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teui"; depth:5; nocase; http.host; content:"rlatitudert.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511142/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"mclimatologfy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511141/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoxo"; depth:5; nocase; http.host; content:"fclarmodq.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511140/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hmand"; depth:6; nocase; http.host; content:"digilayerx.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511139/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apr.php"; depth:8; nocase; http.host; content:"beemorning.icu"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apri.php"; depth:9; nocase; http.host; content:"beemorning.icu"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oil.php"; depth:8; nocase; http.host; content:"birthteeth.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"fleshplants.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kuqob.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511134; rev:1;) alert tcp $HOME_NET any -> [1.94.255.158] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511133; rev:1;) alert tcp $HOME_NET any -> [121.40.154.130] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511132; rev:1;) alert tcp $HOME_NET any -> [43.137.42.33] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511129; rev:1;) alert tcp $HOME_NET any -> [47.121.222.227] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511130; rev:1;) alert tcp $HOME_NET any -> [160.202.227.54] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511131; rev:1;) alert tcp $HOME_NET any -> [47.111.125.229] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511128; rev:1;) alert tcp $HOME_NET any -> [139.159.212.103] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tafoz.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoftftp.serveftp.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vogos.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/geturl"; depth:11; nocase; http.host; content:"analytiwave.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511043/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6a1f2b3c4d5e6f7a8b9c0d1e2f3a4b5/"; depth:33; nocase; http.host; content:"goclouder.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511044/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b6c4d1a9f8g3h7e5n6b5a9de4f"; depth:27; nocase; http.host; content:"security.cludfgard.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511045/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress"; depth:10; nocase; http.host; content:"security.cludfgard.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511046/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloudflare.msi"; depth:15; nocase; http.host; content:"www.nemzieo.info"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511047/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.nemzieo.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511048/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file.exe"; depth:9; nocase; http.host; content:"undo.sg"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511051/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"undo.sg"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511052/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_25; classtype:trojan-activity; sid:91511052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"napiv.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"goclouder.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b6c4d1a9f8g3h7e5n6b5a9de4f"; depth:27; nocase; http.host; content:"security.flaearegyaard.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"security.flaearegyaard.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress"; depth:10; nocase; http.host; content:"security.flaearegyaard.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloudflare.msi"; depth:15; nocase; http.host; content:"keloimnau.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"keloimnau.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloudflare.msi"; depth:15; nocase; http.host; content:"www.keloimnau.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloudflare.msi"; depth:15; nocase; http.host; content:"keloimnau.info"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"keloimnau.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4d2a.js"; depth:8; nocase; http.host; content:"grrlspace.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloudflare.msi"; depth:15; nocase; http.host; content:"core.keloimnau.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"grrlspace.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"core.keloimnau.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511088; rev:1;) alert tcp $HOME_NET any -> [194.36.171.78] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511089; rev:1;) alert tcp $HOME_NET any -> [113.45.10.142] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511090; rev:1;) alert tcp $HOME_NET any -> [111.173.104.176] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511091; rev:1;) alert tcp $HOME_NET any -> [176.65.142.74] 3371 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511092; rev:1;) alert tcp $HOME_NET any -> [128.90.106.101] 4000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511093; rev:1;) alert tcp $HOME_NET any -> [192.24.224.215] 8880 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511096; rev:1;) alert tcp $HOME_NET any -> [192.24.224.215] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511095; rev:1;) alert tcp $HOME_NET any -> [128.90.106.101] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511094; rev:1;) alert tcp $HOME_NET any -> [194.164.93.107] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511097; rev:1;) alert tcp $HOME_NET any -> [192.153.57.116] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511098; rev:1;) alert tcp $HOME_NET any -> [181.32.34.147] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511103; rev:1;) alert tcp $HOME_NET any -> [86.54.42.245] 4444 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511099; rev:1;) alert tcp $HOME_NET any -> [80.98.145.41] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511102; rev:1;) alert tcp $HOME_NET any -> [51.68.26.225] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511104; rev:1;) alert tcp $HOME_NET any -> [157.10.73.118] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511105; rev:1;) alert tcp $HOME_NET any -> [217.125.90.31] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511106; rev:1;) alert tcp $HOME_NET any -> [13.127.79.254] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511107; rev:1;) alert tcp $HOME_NET any -> [3.126.234.72] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511108; rev:1;) alert tcp $HOME_NET any -> [128.85.35.85] 38935 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511109; rev:1;) alert tcp $HOME_NET any -> [13.49.223.229] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511110; rev:1;) alert tcp $HOME_NET any -> [188.213.174.59] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511111; rev:1;) alert tcp $HOME_NET any -> [35.202.11.12] 10443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511114; rev:1;) alert tcp $HOME_NET any -> [3.82.48.232] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511112; rev:1;) alert tcp $HOME_NET any -> [41.78.75.244] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511113; rev:1;) alert tcp $HOME_NET any -> [3.228.32.116] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloudflare.msi"; depth:15; nocase; http.host; content:"www.keloimnau.info"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloudflare.msi"; depth:15; nocase; http.host; content:"keloimnau.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"keloimnau.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xuvyc.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511124; rev:1;) alert tcp $HOME_NET any -> [124.71.199.135] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511118; rev:1;) alert tcp $HOME_NET any -> [167.86.174.240] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511117/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511117; rev:1;) alert tcp $HOME_NET any -> [140.228.29.33] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511101; rev:1;) alert tcp $HOME_NET any -> [94.26.90.48] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"139.5.1.172"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511081/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_25; classtype:trojan-activity; sid:91511081; rev:1;) alert tcp $HOME_NET any -> [13.246.39.244] 6005 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"96-126-124-158.ip.linodeusercontent.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511073; rev:1;) alert tcp $HOME_NET any -> [104.248.194.142] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511071/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-250-199-140.ap-southeast-1.compute.amazonaws.com"; depth:55; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511072; rev:1;) alert tcp $HOME_NET any -> [176.57.188.16] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511070/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511070; rev:1;) alert tcp $HOME_NET any -> [45.10.154.125] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511069; rev:1;) alert tcp $HOME_NET any -> [161.129.65.68] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511068; rev:1;) alert tcp $HOME_NET any -> [15.235.37.196] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511067; rev:1;) alert tcp $HOME_NET any -> [194.102.105.105] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511066/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511066; rev:1;) alert tcp $HOME_NET any -> [85.9.204.228] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511064/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511064; rev:1;) alert tcp $HOME_NET any -> [51.89.177.234] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511065/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511065; rev:1;) alert tcp $HOME_NET any -> [47.115.139.118] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511063/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511063; rev:1;) alert tcp $HOME_NET any -> [43.250.174.95] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_25; classtype:trojan-activity; sid:91511062; rev:1;) alert tcp $HOME_NET any -> [23.146.40.13] 2082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511060/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91511060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"harmonyos.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511059/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91511059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/quwe"; depth:5; nocase; http.host; content:"netscoute.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511058/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91511058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"4climatologfy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511057/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91511057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xasj"; depth:5; nocase; http.host; content:"slliftally.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511056/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91511056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pokd"; depth:5; nocase; http.host; content:"rusconfi.run"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511055/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91511055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"4quilltayle.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511054/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91511054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"astarofliught.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511053/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91511053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"u1.spottyscary.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511050/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banb"; depth:5; nocase; http.host; content:"yvigorbridgoe.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511049/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91511049; rev:1;) alert tcp $HOME_NET any -> [185.237.206.213] 8443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511042/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91511042; rev:1;) alert tcp $HOME_NET any -> [88.237.133.108] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511041/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91511041; rev:1;) alert tcp $HOME_NET any -> [52.237.80.94] 40000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511040/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91511040; rev:1;) alert tcp $HOME_NET any -> [51.84.110.214] 47223 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511039/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91511039; rev:1;) alert tcp $HOME_NET any -> [45.197.150.76] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511038/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91511038; rev:1;) alert tcp $HOME_NET any -> [2.88.143.171] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511037/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91511037; rev:1;) alert tcp $HOME_NET any -> [38.60.203.20] 8088 (msg:"ThreatFox DOPLUGS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511036/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511036; rev:1;) alert tcp $HOME_NET any -> [141.95.33.218] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511035/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91511035; rev:1;) alert tcp $HOME_NET any -> [111.229.202.115] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511034/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91511034; rev:1;) alert tcp $HOME_NET any -> [45.207.210.146] 55667 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511033/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ssh.setuap1.sbs"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511032; rev:1;) alert tcp $HOME_NET any -> [95.216.184.3] 8080 (msg:"ThreatFox Chaos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511031; rev:1;) alert tcp $HOME_NET any -> [45.11.229.230] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511030; rev:1;) alert tcp $HOME_NET any -> [86.54.42.245] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511029; rev:1;) alert tcp $HOME_NET any -> [179.43.186.237] 8081 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511028/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511028; rev:1;) alert tcp $HOME_NET any -> [8.134.82.30] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511027/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511027; rev:1;) alert tcp $HOME_NET any -> [13.229.27.66] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511026/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511026; rev:1;) alert tcp $HOME_NET any -> [102.117.170.93] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511025/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511025; rev:1;) alert tcp $HOME_NET any -> [108.181.218.70] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511023; rev:1;) alert tcp $HOME_NET any -> [176.65.134.81] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511024/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511024; rev:1;) alert tcp $HOME_NET any -> [152.42.172.255] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511022; rev:1;) alert tcp $HOME_NET any -> [179.61.237.133] 9090 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511019; rev:1;) alert tcp $HOME_NET any -> [85.158.108.187] 40106 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511020; rev:1;) alert tcp $HOME_NET any -> [82.24.182.111] 9090 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511021; rev:1;) alert tcp $HOME_NET any -> [120.46.217.53] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511017; rev:1;) alert tcp $HOME_NET any -> [38.207.176.43] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rcraftstipaddrsrv17.duckdns.org"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nlm/sll.php"; depth:12; nocase; http.host; content:"jsmakert.shop"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511003/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nlm/flex.js"; depth:12; nocase; http.host; content:"jsmakert.shop"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511004/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jsmakert.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511001/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nlm/index.php"; depth:14; nocase; http.host; content:"jsmakert.shop"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511002/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vezof.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510994/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/files/autolaunch.zip"; depth:27; nocase; http.host; content:"umpmfss.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"badnesspandemic.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"badnesspandemic.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1511010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511010; rev:1;) alert tcp $HOME_NET any -> [43.248.78.215] 51200 (msg:"ThreatFox lightSpy botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1511008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ambiopharmconsultingltd.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ugconsultanceltd.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91511007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ns.aqjcjss.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1511000/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91511000; rev:1;) alert tcp $HOME_NET any -> [212.34.130.72] 15072 (msg:"ThreatFox GhostSocks botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510996; rev:1;) alert tcp $HOME_NET any -> [77.238.237.190] 15072 (msg:"ThreatFox GhostSocks botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510997/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510997; rev:1;) alert tcp $HOME_NET any -> [185.245.106.67] 15072 (msg:"ThreatFox GhostSocks botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510998/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510998; rev:1;) alert tcp $HOME_NET any -> [193.187.172.163] 443 (msg:"ThreatFox GhostSocks botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510995/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510995; rev:1;) alert tcp $HOME_NET any -> [62.60.154.3] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510993/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cogov.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510992/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510992; rev:1;) alert tcp $HOME_NET any -> [111.67.206.166] 808 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510991/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510991; rev:1;) alert tcp $HOME_NET any -> [18.144.20.237] 54443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510989/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510989; rev:1;) alert tcp $HOME_NET any -> [18.185.239.0] 27236 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510990/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510990; rev:1;) alert tcp $HOME_NET any -> [115.74.25.138] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510987/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510987; rev:1;) alert tcp $HOME_NET any -> [115.74.25.138] 5002 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510988/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510988; rev:1;) alert tcp $HOME_NET any -> [49.12.197.66] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510986/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510986; rev:1;) alert tcp $HOME_NET any -> [80.209.243.125] 15747 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510985/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510985; rev:1;) alert tcp $HOME_NET any -> [66.55.77.28] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510984/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510984; rev:1;) alert tcp $HOME_NET any -> [34.102.113.135] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510983/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510983; rev:1;) alert tcp $HOME_NET any -> [18.222.49.62] 3755 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510981/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510981; rev:1;) alert tcp $HOME_NET any -> [154.26.154.57] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510982/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510982; rev:1;) alert tcp $HOME_NET any -> [1.94.233.201] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510980/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bobab.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510978/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"penev.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510979/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hikig.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510969/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"93.190.143.101"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510977/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reiq"; depth:5; nocase; http.host; content:"yequatorf.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510976/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuwxx"; depth:6; nocase; http.host; content:"tropiscbs.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510975/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"igeographys.run"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510974/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gffh"; depth:5; nocase; http.host; content:"edumakerb.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510973/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"3biosphxere.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510971/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"biosphxere.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510972/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xapp"; depth:5; nocase; http.host; content:"2hemispherexz.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510970/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profilelayout"; depth:14; nocase; http.host; content:"promo.kimmwhite.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510966/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510966; rev:1;) alert tcp $HOME_NET any -> [166.88.164.240] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510967/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qegyx.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510968/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"byqaj.press"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510965/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"promo.kimmwhite.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510964/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pybal.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510963/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510963; rev:1;) alert tcp $HOME_NET any -> [121.43.63.183] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510962/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510962; rev:1;) alert tcp $HOME_NET any -> [112.196.222.13] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510961/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510961; rev:1;) alert tcp $HOME_NET any -> [101.132.91.240] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510960/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"usd1g6.cyou"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510959/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ui.chnaiuincom.cfd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510958/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glsk"; depth:5; nocase; http.host; content:"woodpeckersd.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510957/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/banb"; depth:5; nocase; http.host; content:"vigorbridgoe.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510956/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlak"; depth:5; nocase; http.host; content:"topographky.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510955/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqoa"; depth:5; nocase; http.host; content:"rbiosphxere.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510954/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuwxx"; depth:6; nocase; http.host; content:"ltropiscbs.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510953/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirq"; depth:5; nocase; http.host; content:"geographys.run"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510952/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ixau"; depth:5; nocase; http.host; content:"cartograhphy.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510951/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u1.putdownpopcorn.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510949/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vekeq.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510950/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pypim.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510923/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dvrhelper.anondns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"techsupport.anondns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rustbot.anondns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"miraisucks.anondns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510927; rev:1;) alert tcp $HOME_NET any -> [120.27.10.43] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510922; rev:1;) alert tcp $HOME_NET any -> [104.233.210.195] 8000 (msg:"ThreatFox xmrig botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510921; rev:1;) alert tcp $HOME_NET any -> [37.143.15.110] 8888 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lupuj.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510904/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510904; rev:1;) alert tcp $HOME_NET any -> [79.133.51.132] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510919; rev:1;) alert tcp $HOME_NET any -> [18.185.239.0] 2086 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510918; rev:1;) alert tcp $HOME_NET any -> [86.54.42.245] 8090 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510917; rev:1;) alert tcp $HOME_NET any -> [154.197.69.143] 7000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510915/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510915; rev:1;) alert tcp $HOME_NET any -> [185.208.159.120] 4444 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510916; rev:1;) alert tcp $HOME_NET any -> [107.172.230.178] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510914/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510914; rev:1;) alert tcp $HOME_NET any -> [103.74.100.219] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510913/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510913; rev:1;) alert tcp $HOME_NET any -> [66.55.77.28] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510910/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510910; rev:1;) alert tcp $HOME_NET any -> [176.65.144.162] 5222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510911/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510911; rev:1;) alert tcp $HOME_NET any -> [188.218.81.203] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510912/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510912; rev:1;) alert tcp $HOME_NET any -> [66.103.199.102] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510907/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510907; rev:1;) alert tcp $HOME_NET any -> [8.130.111.109] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510908/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510908; rev:1;) alert tcp $HOME_NET any -> [101.35.228.105] 3333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510909/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510909; rev:1;) alert tcp $HOME_NET any -> [43.134.117.243] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510905/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510905; rev:1;) alert tcp $HOME_NET any -> [45.136.125.85] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510906/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tazaz.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510874/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"94.158.247.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510875/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"woodpeckersd.run"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510895/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wolverineas.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510896/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgi-bin/p.cgi"; depth:14; nocase; http.host; content:"152.36.128.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510897/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgi-bin/p.cgi"; depth:14; nocase; http.host; content:"152.36.128.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510898/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/srv/log"; depth:8; nocase; http.host; content:"qwlpert.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510902/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"timov.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510900/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"vickmarine.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510901/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qwlpert.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510903/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fyquc.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510899/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510899; rev:1;) alert tcp $HOME_NET any -> [51.89.54.13] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510894/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510894; rev:1;) alert tcp $HOME_NET any -> [173.207.107.203] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510893/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510893; rev:1;) alert tcp $HOME_NET any -> [13.248.204.3] 10004 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510892/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510892; rev:1;) alert tcp $HOME_NET any -> [51.68.128.171] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510891/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510891; rev:1;) alert tcp $HOME_NET any -> [54.180.250.167] 10001 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510889/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510889; rev:1;) alert tcp $HOME_NET any -> [54.180.250.167] 27651 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510890/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510890; rev:1;) alert tcp $HOME_NET any -> [13.208.169.228] 10260 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510888/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510888; rev:1;) alert tcp $HOME_NET any -> [111.92.242.209] 5671 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510887/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510887; rev:1;) alert tcp $HOME_NET any -> [47.17.64.199] 5555 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510886/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nationwidedirectlender.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510885/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510885; rev:1;) alert tcp $HOME_NET any -> [18.169.110.44] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510884/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510884; rev:1;) alert tcp $HOME_NET any -> [191.93.113.197] 9000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510882/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510882; rev:1;) alert tcp $HOME_NET any -> [82.223.48.201] 1433 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510883/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510883; rev:1;) alert tcp $HOME_NET any -> [20.89.67.216] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510881/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"185-38-142-128.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510880/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510880; rev:1;) alert tcp $HOME_NET any -> [154.219.104.89] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510879/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510879; rev:1;) alert tcp $HOME_NET any -> [47.122.55.128] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510878/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510878; rev:1;) alert tcp $HOME_NET any -> [107.173.191.16] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510876/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510876; rev:1;) alert tcp $HOME_NET any -> [43.138.81.232] 50051 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510877/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdblmtc4yzkwodk2/"; depth:18; nocase; http.host; content:"renkpin.net"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510869/; target:src_ip; metadata: confidence_level 80, first_seen 2025_04_24; classtype:trojan-activity; sid:91510869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdblmtc4yzkwodk2/"; depth:18; nocase; http.host; content:"santorinotornado5.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510872/; target:src_ip; metadata: confidence_level 80, first_seen 2025_04_24; classtype:trojan-activity; sid:91510872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gyner.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510867/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdblmtc4yzkwodk2/"; depth:18; nocase; http.host; content:"lospallos25.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510870/; target:src_ip; metadata: confidence_level 80, first_seen 2025_04_24; classtype:trojan-activity; sid:91510870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdblmtc4yzkwodk2/"; depth:18; nocase; http.host; content:"sinagogdahaham1453.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510871/; target:src_ip; metadata: confidence_level 80, first_seen 2025_04_24; classtype:trojan-activity; sid:91510871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdblmtc4yzkwodk2/"; depth:18; nocase; http.host; content:"hahohahohoahoa.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510873/; target:src_ip; metadata: confidence_level 80, first_seen 2025_04_24; classtype:trojan-activity; sid:91510873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"38.60.199.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510864/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510864; rev:1;) alert tcp $HOME_NET any -> [193.56.135.115] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510768/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510768; rev:1;) alert tcp $HOME_NET any -> [172.105.213.140] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510769/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510769; rev:1;) alert tcp $HOME_NET any -> [172.105.213.140] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510770/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510770; rev:1;) alert tcp $HOME_NET any -> [45.33.7.49] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510771/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510771; rev:1;) alert tcp $HOME_NET any -> [154.44.10.33] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510773/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fallenminer.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510772/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.zalopay.site"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510775/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"account.zalopay.site"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510776/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510776; rev:1;) alert tcp $HOME_NET any -> [54.37.136.114] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510777/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510777; rev:1;) alert tcp $HOME_NET any -> [34.211.59.218] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510779/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510779; rev:1;) alert tcp $HOME_NET any -> [172.210.176.139] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510778/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510778; rev:1;) alert tcp $HOME_NET any -> [82.112.244.87] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510780/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510780; rev:1;) alert tcp $HOME_NET any -> [121.40.87.143] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510781/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510781; rev:1;) alert tcp $HOME_NET any -> [18.211.221.99] 2083 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510782/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510782; rev:1;) alert tcp $HOME_NET any -> [3.126.234.72] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510783/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510783; rev:1;) alert tcp $HOME_NET any -> [128.199.172.144] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510784/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510784; rev:1;) alert tcp $HOME_NET any -> [120.26.234.98] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510785/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510785; rev:1;) alert tcp $HOME_NET any -> [161.97.108.198] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510786/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510786; rev:1;) alert tcp $HOME_NET any -> [13.49.225.120] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510787/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510787; rev:1;) alert tcp $HOME_NET any -> [34.16.115.86] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510788/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510788; rev:1;) alert tcp $HOME_NET any -> [103.196.155.17] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510789/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510789; rev:1;) alert tcp $HOME_NET any -> [43.203.56.212] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510790/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510790; rev:1;) alert tcp $HOME_NET any -> [103.180.165.159] 3399 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510791/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510791; rev:1;) alert tcp $HOME_NET any -> [64.227.181.100] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510794/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510794; rev:1;) alert tcp $HOME_NET any -> [193.56.135.115] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510766/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510766; rev:1;) alert tcp $HOME_NET any -> [95.129.234.5] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510763/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510763; rev:1;) alert tcp $HOME_NET any -> [193.56.135.115] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510767/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510767; rev:1;) alert tcp $HOME_NET any -> [101.132.91.240] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510760/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510760; rev:1;) alert tcp $HOME_NET any -> [51.89.54.13] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510761/; target:src_ip; metadata: confidence_level 90, first_seen 2025_04_24; classtype:trojan-activity; sid:91510761; rev:1;) alert tcp $HOME_NET any -> [38.60.199.31] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510762/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510762; rev:1;) alert tcp $HOME_NET any -> [23.146.40.13] 2086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510758/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510758; rev:1;) alert tcp $HOME_NET any -> [111.124.203.18] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510759/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-116-205-242-143.compute.hwclouds-dns.com"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510756/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510756; rev:1;) alert tcp $HOME_NET any -> [60.205.183.232] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510757/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510757; rev:1;) alert tcp $HOME_NET any -> [194.87.190.73] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510792/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510792; rev:1;) alert tcp $HOME_NET any -> [146.190.236.178] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510793/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510793; rev:1;) alert tcp $HOME_NET any -> [38.47.255.181] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510795/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510795; rev:1;) alert tcp $HOME_NET any -> [18.222.246.200] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510796/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510796; rev:1;) alert tcp $HOME_NET any -> [193.57.27.25] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510797/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510797; rev:1;) alert tcp $HOME_NET any -> [52.33.244.242] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510799/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510799; rev:1;) alert tcp $HOME_NET any -> [47.86.224.163] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510800/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gutenortherad.click"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510806/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-app-server.vewojo9572.workers.dev"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510807/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"koonenmagaziner.click"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510805/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flamencobeents.click"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510804/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytus"; depth:5; nocase; http.host; content:"3piratetwrath.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510637/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_24; classtype:trojan-activity; sid:91510637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"twizt.net"; depth:9; nocase; reference:url, threatfox.abuse.ch/ioc/1510631/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_24; classtype:trojan-activity; sid:91510631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/init1234"; depth:9; nocase; http.host; content:"grodis.cc"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vigorbridgoe.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/init1234"; depth:9; nocase; http.host; content:"gluerrs.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/init1234"; depth:9; nocase; http.host; content:"kloders.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cartograhphy.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510670/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biosphxere.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510671/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"topographky.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510672/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geographys.run"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510668/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tropiscbs.live"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eicp.byxwgimpbwiskniw.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510647/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lorda.hopto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510645; rev:1;) alert tcp $HOME_NET any -> [194.110.247.90] 15390 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hylur.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510845/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ndgadfqwywqe.pages.dev"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510802/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jjiiiiiiiiijjjj.pages.dev"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510803/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 95%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-login.php"; depth:13; nocase; http.host; content:"www.wearerescue.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510604/; target:src_ip; metadata: confidence_level 95, first_seen 2025_04_24; classtype:trojan-activity; sid:91510604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 95%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/resads/mfls.php"; depth:35; nocase; http.host; content:"setecores.com.br"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510605/; target:src_ip; metadata: confidence_level 95, first_seen 2025_04_24; classtype:trojan-activity; sid:91510605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 95%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/wp-automatic/dwyrnb.php"; depth:43; nocase; http.host; content:"crushingthehairbiz.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510602/; target:src_ip; metadata: confidence_level 95, first_seen 2025_04_24; classtype:trojan-activity; sid:91510602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 95%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moszna/wp-content/plugins/resads/mfls.php"; depth:42; nocase; http.host; content:"emblemat.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510603/; target:src_ip; metadata: confidence_level 95, first_seen 2025_04_24; classtype:trojan-activity; sid:91510603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 95%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/wp-automatic/pwlbdv.php"; depth:43; nocase; http.host; content:"atrandu.lt"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510601/; target:src_ip; metadata: confidence_level 95, first_seen 2025_04_24; classtype:trojan-activity; sid:91510601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"dealmakerwealthsociety.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510591/; target:src_ip; metadata: confidence_level 90, first_seen 2025_04_24; classtype:trojan-activity; sid:91510591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"id.webaudiomessages.xyz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510594/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mansionsnowy.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510595/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"outlook.webaudiomessages.xyz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510596/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"react.webaudiomessages.xyz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510599/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"airbluefootgear.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510597/; target:src_ip; metadata: confidence_level 90, first_seen 2025_04_24; classtype:trojan-activity; sid:91510597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fastylamberta.click"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510598/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"walkinsonbeer.click"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510600/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tc1.easingaffix.site"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510584/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geps"; depth:5; nocase; http.host; content:"bpchangeaie.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510580/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_24; classtype:trojan-activity; sid:91510580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vickmarine.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510582/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3w1s.js"; depth:8; nocase; http.host; content:"vickmarine.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510583/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mrdltd.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510585/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5q2g.js"; depth:8; nocase; http.host; content:"mrdltd.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510586/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510586; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 56152 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510587/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iguanadx.run"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510588/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tycok.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510589/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vyzap.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510575/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510575; rev:1;) alert tcp $HOME_NET any -> [166.88.14.137] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510861/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510861; rev:1;) alert tcp $HOME_NET any -> [107.172.146.104] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510862/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510862; rev:1;) alert tcp $HOME_NET any -> [103.117.120.98] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510863/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510863; rev:1;) alert tcp $HOME_NET any -> [31.58.169.193] 8041 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510859/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_24; classtype:trojan-activity; sid:91510859; rev:1;) alert tcp $HOME_NET any -> [31.58.169.193] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510860/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_24; classtype:trojan-activity; sid:91510860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"windows.ddnsguru.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510858/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_24; classtype:trojan-activity; sid:91510858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sewektrip.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510857/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_24; classtype:trojan-activity; sid:91510857; rev:1;) alert tcp $HOME_NET any -> [37.1.207.4] 1415 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510856/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_24; classtype:trojan-activity; sid:91510856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"hamditebz-51107.portmap.io"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510855/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_24; classtype:trojan-activity; sid:91510855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"v98acd.ssafileaccess.ru"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510854/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_24; classtype:trojan-activity; sid:91510854; rev:1;) alert tcp $HOME_NET any -> [38.60.199.31] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510853/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_24; classtype:trojan-activity; sid:91510853; rev:1;) alert tcp $HOME_NET any -> [13.208.161.251] 2181 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510852/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_24; classtype:trojan-activity; sid:91510852; rev:1;) alert tcp $HOME_NET any -> [196.119.210.163] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510851/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_24; classtype:trojan-activity; sid:91510851; rev:1;) alert tcp $HOME_NET any -> [111.229.202.115] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510850/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_24; classtype:trojan-activity; sid:91510850; rev:1;) alert tcp $HOME_NET any -> [44.242.215.251] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510848/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_24; classtype:trojan-activity; sid:91510848; rev:1;) alert tcp $HOME_NET any -> [44.242.215.251] 5249 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510849/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_24; classtype:trojan-activity; sid:91510849; rev:1;) alert tcp $HOME_NET any -> [3.83.247.253] 444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510847/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_24; classtype:trojan-activity; sid:91510847; rev:1;) alert tcp $HOME_NET any -> [121.43.63.183] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510846/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_24; classtype:trojan-activity; sid:91510846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hobir.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510844/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510844; rev:1;) alert tcp $HOME_NET any -> [175.41.179.174] 80 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510801/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510801; rev:1;) alert tcp $HOME_NET any -> [3.69.54.234] 5985 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510798/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510798; rev:1;) alert tcp $HOME_NET any -> [45.76.251.42] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510774/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510774; rev:1;) alert tcp $HOME_NET any -> [107.175.32.185] 2405 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510765/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510765; rev:1;) alert tcp $HOME_NET any -> [107.175.32.184] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510764/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"piver.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510755/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cuxer.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510754/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gutom.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510753/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510753; rev:1;) alert tcp $HOME_NET any -> [81.71.248.248] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510752/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510752; rev:1;) alert tcp $HOME_NET any -> [185.196.11.181] 1433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510750/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510750; rev:1;) alert tcp $HOME_NET any -> [185.196.11.181] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510751/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510751; rev:1;) alert tcp $HOME_NET any -> [106.55.69.180] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510749/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cdn-credit-d814.101archstreet.workers.dev"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510748/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_24; classtype:trojan-activity; sid:91510748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jahoc.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510747/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gubuj.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510746/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rocyg.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510745/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ginoz.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510744/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pepuq.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510743/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510743; rev:1;) alert tcp $HOME_NET any -> [23.136.44.116] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510742/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sso.zalopay.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510740/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"portal.zalopay.site"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510741/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510741; rev:1;) alert tcp $HOME_NET any -> [18.224.153.152] 9999 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510738/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510738; rev:1;) alert tcp $HOME_NET any -> [3.25.188.83] 30228 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510739/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510739; rev:1;) alert tcp $HOME_NET any -> [154.12.16.122] 19999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510737/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510737; rev:1;) alert tcp $HOME_NET any -> [164.90.172.49] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510736/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510736; rev:1;) alert tcp $HOME_NET any -> [186.169.81.137] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510734/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510734; rev:1;) alert tcp $HOME_NET any -> [157.66.26.148] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510735/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510735; rev:1;) alert tcp $HOME_NET any -> [154.12.40.188] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510733/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510733; rev:1;) alert tcp $HOME_NET any -> [192.3.118.5] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510731/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510731; rev:1;) alert tcp $HOME_NET any -> [186.169.81.137] 8888 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510732/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_24; classtype:trojan-activity; sid:91510732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wunep.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510685; rev:1;) alert tcp $HOME_NET any -> [219.144.88.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510684/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510684; rev:1;) alert tcp $HOME_NET any -> [202.144.192.24] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510683/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510683; rev:1;) alert tcp $HOME_NET any -> [157.148.125.106] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510682/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510682; rev:1;) alert tcp $HOME_NET any -> [122.246.30.27] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510681/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510681; rev:1;) alert tcp $HOME_NET any -> [120.232.158.114] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510680/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510680; rev:1;) alert tcp $HOME_NET any -> [119.8.108.74] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510679/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510679; rev:1;) alert tcp $HOME_NET any -> [116.162.153.163] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510678/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510678; rev:1;) alert tcp $HOME_NET any -> [195.2.75.24] 33334 (msg:"ThreatFox Unidentified 121 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510674; rev:1;) alert tcp $HOME_NET any -> [8.211.157.140] 2002 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510667/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510667; rev:1;) alert tcp $HOME_NET any -> [75.2.11.125] 8128 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510666/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510666; rev:1;) alert tcp $HOME_NET any -> [69.157.7.189] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510665/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510665; rev:1;) alert tcp $HOME_NET any -> [24.62.238.14] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510664/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510664; rev:1;) alert tcp $HOME_NET any -> [194.163.188.142] 9191 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510663/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dum555.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510662/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510662; rev:1;) alert tcp $HOME_NET any -> [191.112.31.229] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510661/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510661; rev:1;) alert tcp $HOME_NET any -> [190.145.78.30] 444 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510660/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cloudflare.eclassexperts.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510659/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510659; rev:1;) alert tcp $HOME_NET any -> [52.33.227.95] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510657/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510657; rev:1;) alert tcp $HOME_NET any -> [91.107.227.174] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510658/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510658; rev:1;) alert tcp $HOME_NET any -> [5.183.95.24] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510656/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510656; rev:1;) alert tcp $HOME_NET any -> [169.55.107.211] 10250 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510655/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510655; rev:1;) alert tcp $HOME_NET any -> [62.171.170.49] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510653/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510653; rev:1;) alert tcp $HOME_NET any -> [47.120.46.210] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510654/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510654; rev:1;) alert tcp $HOME_NET any -> [93.113.25.219] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510652/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510652; rev:1;) alert tcp $HOME_NET any -> [47.238.140.204] 5544 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510651/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510651; rev:1;) alert tcp $HOME_NET any -> [107.189.25.246] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510650/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510650; rev:1;) alert tcp $HOME_NET any -> [140.245.122.39] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510649/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510649; rev:1;) alert tcp $HOME_NET any -> [102.159.226.238] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510648/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510648; rev:1;) alert tcp $HOME_NET any -> [194.233.76.207] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510630/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510630; rev:1;) alert tcp $HOME_NET any -> [191.96.235.70] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510629; rev:1;) alert tcp $HOME_NET any -> [52.69.244.101] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510628/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510628; rev:1;) alert tcp $HOME_NET any -> [54.250.0.227] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510627/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510627; rev:1;) alert tcp $HOME_NET any -> [18.199.99.219] 42969 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510626/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"relyheins.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510625/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510625; rev:1;) alert tcp $HOME_NET any -> [65.38.121.128] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510623/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510623; rev:1;) alert tcp $HOME_NET any -> [164.92.184.73] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510624/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510624; rev:1;) alert tcp $HOME_NET any -> [164.90.180.58] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510621/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510621; rev:1;) alert tcp $HOME_NET any -> [143.110.213.30] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510622/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510622; rev:1;) alert tcp $HOME_NET any -> [51.175.8.79] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510620/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510620; rev:1;) alert tcp $HOME_NET any -> [154.37.213.163] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510619/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510619; rev:1;) alert tcp $HOME_NET any -> [172.245.25.184] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510617/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510617; rev:1;) alert tcp $HOME_NET any -> [173.214.166.105] 4352 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510618/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510618; rev:1;) alert tcp $HOME_NET any -> [107.175.32.184] 2405 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510614; rev:1;) alert tcp $HOME_NET any -> [107.174.65.156] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510615/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510615; rev:1;) alert tcp $HOME_NET any -> [192.142.0.149] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510616/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510616; rev:1;) alert tcp $HOME_NET any -> [175.27.137.222] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510613/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510613; rev:1;) alert tcp $HOME_NET any -> [119.8.108.74] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510612/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510612; rev:1;) alert tcp $HOME_NET any -> [124.71.139.142] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510610/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510610; rev:1;) alert tcp $HOME_NET any -> [120.46.16.37] 1144 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510611/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510611; rev:1;) alert tcp $HOME_NET any -> [31.58.136.13] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510608/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510608; rev:1;) alert tcp $HOME_NET any -> [121.37.217.210] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510609/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510609; rev:1;) alert tcp $HOME_NET any -> [77.110.116.47] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510606/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510606; rev:1;) alert tcp $HOME_NET any -> [77.110.116.47] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510607/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"gstarofliught.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510570/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jellyfisnbnh.live"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510561/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h1.glucoseranger.digital"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"factisland.icu"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510567/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"decisioniron.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510568/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apr.php"; depth:8; nocase; http.host; content:"factisland.icu"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510565/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apri.php"; depth:9; nocase; http.host; content:"factisland.icu"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510566/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"guitarcars.icu"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510564/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pejnguin.live"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510558/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510558; rev:1;) alert tcp $HOME_NET any -> [176.65.134.100] 31679 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510554/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mtowner.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510547/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5t4r.js"; depth:8; nocase; http.host; content:"mtowner.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510549/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4e3r.js"; depth:8; nocase; http.host; content:"mtowner.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510551/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"mtowner.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510552/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kasej.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510553/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"soficave.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510539/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nlm/sss.php"; depth:12; nocase; http.host; content:"soficave.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510541/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nlm/loop.js"; depth:12; nocase; http.host; content:"soficave.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510540/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nlm/loop.js"; depth:12; nocase; http.host; content:"ayzyw.top"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510530/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nlm/sss.php"; depth:12; nocase; http.host; content:"ayzyw.top"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510534/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ayzyw.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510529/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nlm/index.php"; depth:14; nocase; http.host; content:"ayzyw.top"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510533/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510533; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 52684 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510516/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"recommended-collins.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510517/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510517; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 57016 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510514/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"panel-thrown.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510515/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"solidewi.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510490/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"junyk.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510503/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profilelayout"; depth:14; nocase; http.host; content:"www.ishimotors.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510488/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510488; rev:1;) alert tcp $HOME_NET any -> [23.146.184.28] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510489/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ishimotors.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510486/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dafeq.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510487/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510487; rev:1;) alert tcp $HOME_NET any -> [154.44.10.82] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510532/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"207.244.199.46"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510519/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510519; rev:1;) alert tcp $HOME_NET any -> [35.205.244.23] 80 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510518/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"incog.live"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510513/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510513; rev:1;) alert tcp $HOME_NET any -> [114.132.94.52] 5050 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510512/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510512; rev:1;) alert tcp $HOME_NET any -> [158.180.231.221] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510511/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510511; rev:1;) alert tcp $HOME_NET any -> [213.209.150.170] 9841 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510510/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"akkiosk.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510509/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510509; rev:1;) alert tcp $HOME_NET any -> [102.117.171.208] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510508/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510508; rev:1;) alert tcp $HOME_NET any -> [128.90.113.170] 4000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510506/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510506; rev:1;) alert tcp $HOME_NET any -> [23.95.106.22] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510507/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510507; rev:1;) alert tcp $HOME_NET any -> [142.202.242.184] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510505/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510505; rev:1;) alert tcp $HOME_NET any -> [46.8.69.46] 443 (msg:"ThreatFox GhostSocks botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510502/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510502; rev:1;) alert tcp $HOME_NET any -> [196.251.115.101] 5892 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510501/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/kxhntszw"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510500/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"popbaggy.ignorelist.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510498/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zainezw.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510499/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7309095694:aaexfdt7c83fftvgyimcrdzyyxx9okr4q6g/"; depth:51; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510497/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510497; rev:1;) alert tcp $HOME_NET any -> [218.104.52.188] 9205 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510496/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510496; rev:1;) alert tcp $HOME_NET any -> [31.172.74.201] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510495/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510495; rev:1;) alert tcp $HOME_NET any -> [95.131.202.38] 9443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510493/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510493; rev:1;) alert tcp $HOME_NET any -> [212.69.167.73] 9443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510494/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510494; rev:1;) alert tcp $HOME_NET any -> [159.203.2.140] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510491/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510491; rev:1;) alert tcp $HOME_NET any -> [39.100.84.28] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510492/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mysyv.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510484/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510484; rev:1;) alert tcp $HOME_NET any -> [82.115.223.118] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510485/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510485; rev:1;) alert tcp $HOME_NET any -> [193.5.65.115] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510483/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510483; rev:1;) alert tcp $HOME_NET any -> [119.29.28.34] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510482/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510482; rev:1;) alert tcp $HOME_NET any -> [114.132.180.69] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510481/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510481; rev:1;) alert tcp $HOME_NET any -> [107.174.67.215] 9312 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510480/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eztest.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510479/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"palid.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510474/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pebeg.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510478/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510478; rev:1;) alert tcp $HOME_NET any -> [13.38.11.108] 8888 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510477/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510477; rev:1;) alert tcp $HOME_NET any -> [13.38.11.108] 88 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510476/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510476; rev:1;) alert tcp $HOME_NET any -> [86.54.42.245] 4443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510475/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510475; rev:1;) alert tcp $HOME_NET any -> [115.74.25.138] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510473/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510473; rev:1;) alert tcp $HOME_NET any -> [128.90.113.170] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510472/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510472; rev:1;) alert tcp $HOME_NET any -> [172.94.9.164] 1962 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510471/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510471; rev:1;) alert tcp $HOME_NET any -> [104.37.4.27] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510469/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510469; rev:1;) alert tcp $HOME_NET any -> [109.120.137.86] 101 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510470/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510470; rev:1;) alert tcp $HOME_NET any -> [106.75.21.94] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510467/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510467; rev:1;) alert tcp $HOME_NET any -> [101.126.10.97] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510468/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510468; rev:1;) alert tcp $HOME_NET any -> [118.195.189.82] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510466/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510466; rev:1;) alert tcp $HOME_NET any -> [123.249.20.20] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510465/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510465; rev:1;) alert tcp $HOME_NET any -> [149.104.29.129] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510463/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510463; rev:1;) alert tcp $HOME_NET any -> [123.249.20.20] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510464/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shelducopk.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510453/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"keywestuy.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510454/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vampirebioat.digital"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510455/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"manateeiu.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510456/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quollgjk.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510457/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shrimpcvd.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510458/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pldcbus.digital"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510459/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tarantutyla.digital"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510460/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bullfrogvc.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510461/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kangaroojh.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510462/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nynoj.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510452/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"juhup.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510242/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"security-2k7q-check.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510451/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fartgo21oursts1.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510448/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fartgo21oursts2.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510449/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fartgo21oursts3.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510450/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hajouts8koumis5.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510446/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hajouts8koumis6.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510447/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510447; rev:1;) alert tcp $HOME_NET any -> [94.156.227.204] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510445/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.themodaempire.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510434/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.time4beauty-blog.info"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510435/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.tuthofilly.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510436/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.uniqueeyez.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510437/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.wamohssurgery.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510438/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.wwwvn602.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510439/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.wx-newtork.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510440/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.xn--950bn7a776apfal10cnib.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510441/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.xn--bescheidprfung-psb.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510442/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.yemail.email"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510443/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.youngminds.place"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510444/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.testvmsept07yyyyy.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510433/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.myaeh.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510421/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.mycarefamily.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510422/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.nostalgicexpress.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510423/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.nowgopaint.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510424/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.nulunauniversity.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510425/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.petal.parts"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510426/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.plombierslivrygargan.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510427/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rencornachine.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510428/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.sanmarinoseries.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510429/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.seadragonfob.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510430/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.surfbumapparel.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510431/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.taylormthomas.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510432/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.harmonyviolin.win"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510409/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.hemalipaterl.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510410/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.jennashrivercoaching.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510411/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.jinchenjin.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510412/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.kimbhoh.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510413/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.la-forme-matrice.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510414/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.lifemindmed.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510415/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.lineagro.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510416/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.liveoverseasconference.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510417/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.mad.foundation"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510418/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.michaellobato.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510419/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.moneyprime.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510420/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.cex.party"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510395/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.cirquedumarina.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510396/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.counsellingsupervisor.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510397/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.cuchilleria.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510398/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.d55105.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510399/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.dondavidaltopalermo.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510400/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.doomcrowoffical.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510401/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.faraon-beth6.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510402/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.freedom100plan.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510403/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ghyxm.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510404/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.gmecpn.men"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510405/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.goodkindtrue.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510406/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.gzsanj.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510407/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.hami.link"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510408/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.9cri.accountant"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510382/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.aandswholesale.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510383/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.adithyavm.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510384/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ads-line.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510385/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.airmediabda.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510386/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.amcmadmen.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510387/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.amonlineb.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510388/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.animalnooz.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510389/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.appin.tech"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510390/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.bbbav93931.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510391/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.bojny.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510392/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.bufdv.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510393/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.cagschools.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510394/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.7needsofpatients.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510381/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.yuklemeislemi.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510380/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1l/"; depth:5; nocase; http.host; content:"www.yuklemeislemi.online"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510315/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.wamohssurgery.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510308/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.wwwvn602.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510309/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.wx-newtork.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510310/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.xn--950bn7a776apfal10cnib.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510311/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.xn--bescheidprfung-psb.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510312/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.yemail.email"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510313/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.youngminds.place"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510314/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.surfbumapparel.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510301/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.taylormthomas.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510302/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.testvmsept07yyyyy.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510303/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.themodaempire.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510304/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.time4beauty-blog.info"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510305/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.tuthofilly.info"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510306/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.uniqueeyez.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510307/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.petal.parts"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510296/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.plombierslivrygargan.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510297/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.rencornachine.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510298/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.sanmarinoseries.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510299/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.seadragonfob.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510300/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.moneyprime.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510290/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.myaeh.info"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510291/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.mycarefamily.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510292/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.nostalgicexpress.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510293/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.nowgopaint.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510294/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.nulunauniversity.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510295/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.la-forme-matrice.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510284/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.lifemindmed.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510285/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.lineagro.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510286/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.liveoverseasconference.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510287/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.mad.foundation"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510288/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.michaellobato.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510289/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.harmonyviolin.win"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510279/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.hemalipaterl.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510280/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.jennashrivercoaching.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510281/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.jinchenjin.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510282/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.kimbhoh.info"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510283/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.freedom100plan.info"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510273/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.ghyxm.info"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510274/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.gmecpn.men"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510275/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.goodkindtrue.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510276/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.gzsanj.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510277/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.hami.link"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510278/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.cuchilleria.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510268/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.d55105.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510269/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.dondavidaltopalermo.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510270/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.doomcrowoffical.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510271/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.faraon-beth6.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510272/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.bufdv.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510263/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.cagschools.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510264/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.cex.party"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510265/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.cirquedumarina.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510266/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.counsellingsupervisor.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510267/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.amcmadmen.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510257/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.amonlineb.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510258/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.animalnooz.info"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510259/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.appin.tech"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510260/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.bbbav93931.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510261/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.bojny.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510262/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.7needsofpatients.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510251/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.9cri.accountant"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510252/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.aandswholesale.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510253/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.adithyavm.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510254/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.ads-line.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510255/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1/"; depth:4; nocase; http.host; content:"www.airmediabda.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510256/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.vtmarkets.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510250/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"107.173.61.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510249/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510249; rev:1;) alert tcp $HOME_NET any -> [185.235.178.14] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510248/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510248; rev:1;) alert tcp $HOME_NET any -> [54.189.181.127] 16098 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510246/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510246; rev:1;) alert tcp $HOME_NET any -> [13.232.63.191] 4321 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510247/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510247; rev:1;) alert tcp $HOME_NET any -> [3.144.188.154] 2067 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510245/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510245; rev:1;) alert tcp $HOME_NET any -> [192.241.137.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510244/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510244; rev:1;) alert tcp $HOME_NET any -> [8.137.108.138] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510243/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nuxul.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510240/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510240; rev:1;) alert tcp $HOME_NET any -> [185.39.19.20] 418 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510238/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zabo.0x504.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510239/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510239; rev:1;) alert tcp $HOME_NET any -> [185.39.19.20] 428 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510241/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510241; rev:1;) alert tcp $HOME_NET any -> [69.157.7.189] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510237/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tnbz"; depth:5; nocase; http.host; content:"ecoexpanpd.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510236/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510236; rev:1;) alert tcp $HOME_NET any -> [67.207.161.237] 1321 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510235/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/desk/trust.zip"; depth:15; nocase; http.host; content:"apelmerah.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510216/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510216; rev:1;) alert tcp $HOME_NET any -> [103.251.164.121] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510234/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510234; rev:1;) alert tcp $HOME_NET any -> [194.59.30.50] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip-96-126-124-158.cloudezapp.io"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510231/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"payu-doladowania.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510232/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510232; rev:1;) alert tcp $HOME_NET any -> [47.254.247.118] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510230/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510230; rev:1;) alert tcp $HOME_NET any -> [116.212.185.242] 8081 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510229/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bgptools-wildcard-confirmed.duocphamhoanghuonghh.com"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510228/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"touchstonesinvestments.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510227/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510227; rev:1;) alert tcp $HOME_NET any -> [185.14.92.177] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510226/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510226; rev:1;) alert tcp $HOME_NET any -> [193.201.9.252] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510225/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510225; rev:1;) alert tcp $HOME_NET any -> [196.251.81.249] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510224/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510224; rev:1;) alert tcp $HOME_NET any -> [104.245.106.30] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510222/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510222; rev:1;) alert tcp $HOME_NET any -> [196.251.81.249] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510223/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510223; rev:1;) alert tcp $HOME_NET any -> [196.251.69.26] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510220/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510220; rev:1;) alert tcp $HOME_NET any -> [104.245.106.30] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510221/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510221; rev:1;) alert tcp $HOME_NET any -> [175.27.137.222] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510219/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510219; rev:1;) alert tcp $HOME_NET any -> [156.244.9.237] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510218/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510218; rev:1;) alert tcp $HOME_NET any -> [123.60.87.158] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510217/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510217; rev:1;) alert tcp $HOME_NET any -> [103.136.43.20] 47524 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510215/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teui"; depth:5; nocase; http.host; content:"1zlatitudert.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510214/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fukuq.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510206/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"armlamp.icu"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510213/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"monthmeasure.icu"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510212/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bik.php"; depth:8; nocase; http.host; content:"rabbitsweek.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510207/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apri.php"; depth:9; nocase; http.host; content:"monthmeasure.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510208/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apr.php"; depth:8; nocase; http.host; content:"monthmeasure.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510209/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/limps.php"; depth:10; nocase; http.host; content:"sleepplants.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510210/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510210; rev:1;) alert tcp $HOME_NET any -> [176.65.134.169] 4700 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510205/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510205; rev:1;) alert tcp $HOME_NET any -> [13.60.92.230] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510154; rev:1;) alert tcp $HOME_NET any -> [3.126.146.104] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510152; rev:1;) alert tcp $HOME_NET any -> [3.136.93.180] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510153; rev:1;) alert tcp $HOME_NET any -> [149.104.30.249] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510150; rev:1;) alert tcp $HOME_NET any -> [168.138.12.215] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510151; rev:1;) alert tcp $HOME_NET any -> [3.222.229.79] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510148; rev:1;) alert tcp $HOME_NET any -> [167.172.161.109] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510149; rev:1;) alert tcp $HOME_NET any -> [35.193.71.154] 10443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510145; rev:1;) alert tcp $HOME_NET any -> [3.125.210.176] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510146; rev:1;) alert tcp $HOME_NET any -> [212.98.168.28] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510147; rev:1;) alert tcp $HOME_NET any -> [67.207.73.203] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510142; rev:1;) alert tcp $HOME_NET any -> [83.149.93.149] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510143; rev:1;) alert tcp $HOME_NET any -> [3.132.156.130] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510144; rev:1;) alert tcp $HOME_NET any -> [51.15.194.103] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510139; rev:1;) alert tcp $HOME_NET any -> [194.87.190.73] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510140; rev:1;) alert tcp $HOME_NET any -> [27.124.20.217] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510137; rev:1;) alert tcp $HOME_NET any -> [27.124.20.183] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510138; rev:1;) alert tcp $HOME_NET any -> [186.169.63.145] 8090 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"20-255-61-139.cprapid.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510135; rev:1;) alert tcp $HOME_NET any -> [206.188.197.197] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"advath.socalmediazone.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510131; rev:1;) alert tcp $HOME_NET any -> [66.63.187.252] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.evaluationcurrency.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510130; rev:1;) alert tcp $HOME_NET any -> [45.81.23.47] 1888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510129; rev:1;) alert tcp $HOME_NET any -> [185.146.232.86] 19752 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510126/; target:src_ip; metadata: confidence_level 90, first_seen 2025_04_23; classtype:trojan-activity; sid:91510126; rev:1;) alert tcp $HOME_NET any -> [64.227.140.144] 53487 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510127/; target:src_ip; metadata: confidence_level 90, first_seen 2025_04_23; classtype:trojan-activity; sid:91510127; rev:1;) alert tcp $HOME_NET any -> [43.133.41.106] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510124; rev:1;) alert tcp $HOME_NET any -> [185.254.198.90] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510125/; target:src_ip; metadata: confidence_level 90, first_seen 2025_04_23; classtype:trojan-activity; sid:91510125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-27-106-109-232.compute.hwclouds-dns.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510122; rev:1;) alert tcp $HOME_NET any -> [196.251.72.189] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"en-bitcoin.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:bad-unknown; sid:91510120; rev:1;) alert tcp $HOME_NET any -> [67.131.59.192] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510155/; target:src_ip; metadata: confidence_level 90, first_seen 2025_04_23; classtype:trojan-activity; sid:91510155; rev:1;) alert tcp $HOME_NET any -> [41.226.122.34] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510156; rev:1;) alert tcp $HOME_NET any -> [185.39.19.20] 417 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510158; rev:1;) alert tcp $HOME_NET any -> [185.39.19.20] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510159; rev:1;) alert tcp $HOME_NET any -> [185.39.19.20] 416 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510160; rev:1;) alert tcp $HOME_NET any -> [185.39.19.20] 419 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510161; rev:1;) alert tcp $HOME_NET any -> [185.39.19.20] 430 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510177/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510177; rev:1;) alert tcp $HOME_NET any -> [185.39.19.20] 427 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510178/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510178; rev:1;) alert tcp $HOME_NET any -> [185.39.19.20] 424 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510179/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510179; rev:1;) alert tcp $HOME_NET any -> [185.39.19.20] 423 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510180/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510180; rev:1;) alert tcp $HOME_NET any -> [185.39.19.20] 420 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510181/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510181; rev:1;) alert tcp $HOME_NET any -> [185.39.19.20] 425 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510182/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510182; rev:1;) alert tcp $HOME_NET any -> [185.39.19.20] 422 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510183/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510183; rev:1;) alert tcp $HOME_NET any -> [185.39.19.20] 426 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510190; rev:1;) alert tcp $HOME_NET any -> [185.39.19.20] 421 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510195/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gdcbghvjyqy7jclk.onion.top"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510057/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sdfikguoriqoir.cloud"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"checkuserseverdday.cloud"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flexingoto.cloud"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manufacturer-viewing.gl.at.ply.gg"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nuwof.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510102; rev:1;) alert tcp $HOME_NET any -> [147.185.221.26] 50000 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510096; rev:1;) alert tcp $HOME_NET any -> [217.18.210.168] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510061/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gthfjdk.pages.dev"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510053/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"security-check-u8a6.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tc.easingaffix.site"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vaboz.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510049; rev:1;) alert tcp $HOME_NET any -> [94.72.104.145] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510204/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510204; rev:1;) alert tcp $HOME_NET any -> [47.237.20.48] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510202/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510202; rev:1;) alert tcp $HOME_NET any -> [39.100.78.155] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510203/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510203; rev:1;) alert tcp $HOME_NET any -> [110.41.45.6] 2095 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510200/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510200; rev:1;) alert tcp $HOME_NET any -> [120.27.10.43] 6080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510201/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510201; rev:1;) alert tcp $HOME_NET any -> [5.75.214.250] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510187/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510187; rev:1;) alert tcp $HOME_NET any -> [5.75.220.172] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.214.250"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510185/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.220.172"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510184/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"hiraganadev-35044.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510174/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"beginning-convenient.gl.at.ply.gg"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510175/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"click-vsnet.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510176/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/mxvfk6sh"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510173/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"assaa.freeddns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510172/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"fansly.ad"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510171/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510171; rev:1;) alert tcp $HOME_NET any -> [151.80.60.181] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510170/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510170; rev:1;) alert tcp $HOME_NET any -> [91.81.248.10] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510169/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510169; rev:1;) alert tcp $HOME_NET any -> [185.62.87.191] 444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510168/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510168; rev:1;) alert tcp $HOME_NET any -> [185.254.198.90] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510167/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510167; rev:1;) alert tcp $HOME_NET any -> [15.223.199.62] 21 (msg:"ThreatFox BlackShades botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510165/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510165; rev:1;) alert tcp $HOME_NET any -> [13.247.61.156] 37 (msg:"ThreatFox BlackShades botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510166/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510166; rev:1;) alert tcp $HOME_NET any -> [149.104.11.50] 7001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510164/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510164; rev:1;) alert tcp $HOME_NET any -> [101.126.21.197] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510163/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510163; rev:1;) alert tcp $HOME_NET any -> [45.136.15.39] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510162/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_23; classtype:trojan-activity; sid:91510162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wizu"; depth:5; nocase; http.host; content:"ilongitudde.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510157/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510157; rev:1;) alert tcp $HOME_NET any -> [195.62.48.195] 80 (msg:"ThreatFox XehookStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510141; rev:1;) alert tcp $HOME_NET any -> [173.249.24.35] 8000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510133; rev:1;) alert tcp $HOME_NET any -> [172.65.164.86] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510132; rev:1;) alert tcp $HOME_NET any -> [14.103.169.65] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510121/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_23; classtype:trojan-activity; sid:91510121; rev:1;) alert tcp $HOME_NET any -> [154.82.66.210] 5671 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510115; rev:1;) alert tcp $HOME_NET any -> [198.135.52.184] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510114; rev:1;) alert tcp $HOME_NET any -> [196.251.87.16] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510113; rev:1;) alert tcp $HOME_NET any -> [197.224.239.175] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510112; rev:1;) alert tcp $HOME_NET any -> [128.90.106.191] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510111; rev:1;) alert tcp $HOME_NET any -> [209.200.252.75] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510110; rev:1;) alert tcp $HOME_NET any -> [54.39.19.186] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510109; rev:1;) alert tcp $HOME_NET any -> [109.120.137.79] 101 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510108; rev:1;) alert tcp $HOME_NET any -> [106.75.210.106] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510107; rev:1;) alert tcp $HOME_NET any -> [175.27.137.222] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510106; rev:1;) alert tcp $HOME_NET any -> [3.66.86.18] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510103; rev:1;) alert tcp $HOME_NET any -> [196.251.118.128] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510104; rev:1;) alert tcp $HOME_NET any -> [209.250.246.205] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_23; classtype:trojan-activity; sid:91510105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"2d2azd2gymkef.cfc-execute.gz.baidubce.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510101/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91510101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reiq"; depth:5; nocase; http.host; content:"mequatorf.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510100/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91510100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wizu"; depth:5; nocase; http.host; content:"plongitudde.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510099/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91510099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xapp"; depth:5; nocase; http.host; content:"3hemispherexz.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510098/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91510098; rev:1;) alert tcp $HOME_NET any -> [93.95.228.58] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510090/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91510090; rev:1;) alert tcp $HOME_NET any -> [8.216.82.145] 23333 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510089/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91510089; rev:1;) alert tcp $HOME_NET any -> [52.86.74.200] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510088/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91510088; rev:1;) alert tcp $HOME_NET any -> [43.131.5.83] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510086/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91510086; rev:1;) alert tcp $HOME_NET any -> [43.131.5.83] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510087/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91510087; rev:1;) alert tcp $HOME_NET any -> [35.86.80.194] 8081 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510085/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91510085; rev:1;) alert tcp $HOME_NET any -> [188.234.232.119] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510084/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91510084; rev:1;) alert tcp $HOME_NET any -> [159.65.52.75] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510083/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91510083; rev:1;) alert tcp $HOME_NET any -> [54.169.225.216] 80 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510082; rev:1;) alert tcp $HOME_NET any -> [159.65.91.137] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510080; rev:1;) alert tcp $HOME_NET any -> [116.2.176.204] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510081/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510081; rev:1;) alert tcp $HOME_NET any -> [15.206.170.157] 2454 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510079; rev:1;) alert tcp $HOME_NET any -> [34.243.214.249] 1961 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510078; rev:1;) alert tcp $HOME_NET any -> [115.74.25.138] 6000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510076; rev:1;) alert tcp $HOME_NET any -> [115.74.25.138] 6001 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510077; rev:1;) alert tcp $HOME_NET any -> [111.229.202.115] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510075; rev:1;) alert tcp $HOME_NET any -> [174.113.20.53] 9601 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510073; rev:1;) alert tcp $HOME_NET any -> [38.132.122.213] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510074; rev:1;) alert tcp $HOME_NET any -> [38.132.122.214] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510072; rev:1;) alert tcp $HOME_NET any -> [128.90.106.191] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510069; rev:1;) alert tcp $HOME_NET any -> [128.90.106.191] 4000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510070/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510070; rev:1;) alert tcp $HOME_NET any -> [101.43.131.215] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510068; rev:1;) alert tcp $HOME_NET any -> [107.148.149.107] 3013 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510067; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 45031 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510030/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91510030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"introduction-satisfy.gl.at.ply.gg"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510031/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91510031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mexitl.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510035/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4r3e.js"; depth:8; nocase; http.host; content:"jjpalace.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jjpalace.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510033/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"jjpalace.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510034/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"182.124.232.215"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510048/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91510048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cdn.soft.qianxin.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510047/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91510047; rev:1;) alert tcp $HOME_NET any -> [113.23.212.15] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510046/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91510046; rev:1;) alert tcp $HOME_NET any -> [115.74.25.138] 5001 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510045/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91510045; rev:1;) alert tcp $HOME_NET any -> [86.127.248.32] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510044/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91510044; rev:1;) alert tcp $HOME_NET any -> [13.211.233.30] 2154 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510042/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91510042; rev:1;) alert tcp $HOME_NET any -> [54.151.13.167] 19080 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510043/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91510043; rev:1;) alert tcp $HOME_NET any -> [43.143.123.40] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510041/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91510041; rev:1;) alert tcp $HOME_NET any -> [81.19.131.173] 19000 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510029; rev:1;) alert tcp $HOME_NET any -> [57.128.76.137] 8081 (msg:"ThreatFox Chaos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510028/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510028; rev:1;) alert tcp $HOME_NET any -> [15.157.60.72] 44818 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510027/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510027; rev:1;) alert tcp $HOME_NET any -> [144.172.95.241] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510026/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510026; rev:1;) alert tcp $HOME_NET any -> [115.74.25.138] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510025/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510025; rev:1;) alert tcp $HOME_NET any -> [191.13.60.146] 8081 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510024/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510024; rev:1;) alert tcp $HOME_NET any -> [94.141.122.170] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510023; rev:1;) alert tcp $HOME_NET any -> [82.147.88.84] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powk"; depth:5; nocase; http.host; content:"turkeytzq.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510022/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91510022; rev:1;) alert tcp $HOME_NET any -> [193.26.115.218] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510019; rev:1;) alert tcp $HOME_NET any -> [193.26.115.218] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"buqoc.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510010; rev:1;) alert tcp $HOME_NET any -> [43.163.196.208] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510018; rev:1;) alert tcp $HOME_NET any -> [43.134.86.188] 4522 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510016; rev:1;) alert tcp $HOME_NET any -> [107.175.32.185] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510017; rev:1;) alert tcp $HOME_NET any -> [103.47.146.161] 3222 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510015/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"c6quilltayle.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510014/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91510014; rev:1;) alert tcp $HOME_NET any -> [8.134.218.67] 19999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510013; rev:1;) alert tcp $HOME_NET any -> [8.209.36.208] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510012; rev:1;) alert tcp $HOME_NET any -> [156.244.9.237] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sealyiu.live"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"hobbiesyard.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apr.php"; depth:8; nocase; http.host; content:"taxjudge.icu"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apri.php"; depth:9; nocase; http.host; content:"taxjudge.icu"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1510008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quiltsticks.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510002/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hobbiesyard.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510003/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taxjudge.icu"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510004/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teethbubble.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1510005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91510005; rev:1;) alert tcp $HOME_NET any -> [216.9.225.168] 13960 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510000/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91510000; rev:1;) alert tcp $HOME_NET any -> [216.9.225.168] 13961 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1510001/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91510001; rev:1;) alert tcp $HOME_NET any -> [216.9.225.163] 44040 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509999/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kdxa.gwyhhcorybwjwuzh.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509995/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eicp.gwyhhcorybwjwuzh.live"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509996/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kdxa.zkuafimfdwvetxjq.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509997/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eicp.gaihwstpzuomtfnu.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509998/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kdxa.gaihwstpzuomtfnu.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509988/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yfrv.gaihwstpzuomtfnu.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509989/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yfrv.zkuafimfdwvetxjq.live"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509990/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yfrv.zkuafimfdwvetxjq.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509991/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"khbw.byxwgimpbwiskniw.live"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509992/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"khbw.byxwgimpbwiskniw.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509993/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eicp.gwyhhcorybwjwuzh.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509994/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"xclimatologfy.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509986/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xapp"; depth:5; nocase; http.host; content:"xhemispherexz.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509987/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reiq"; depth:5; nocase; http.host; content:"5equatorf.run"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509985/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vynen.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509905/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dy5h4kus/login.php"; depth:19; nocase; http.host; content:"185.215.113.59"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509910/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509910; rev:1;) alert tcp $HOME_NET any -> [88.118.154.192] 3333 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509911/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"internetsearch.viewdns.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509912/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ffmqitnka.pages.dev"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509941/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 80%)"; dns_query; content:"integration2-hohc4oi-ql5o2tbhqesto.us-5.magentosite.cloud"; depth:57; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509955/; target:src_ip; metadata: confidence_level 80, first_seen 2025_04_22; classtype:trojan-activity; sid:91509955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apelmerah.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509978/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509978; rev:1;) alert tcp $HOME_NET any -> [88.214.48.93] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509971/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure.gatecollegesystem.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509977/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/desk/loop.js"; depth:13; nocase; http.host; content:"apelmerah.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509979/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/desk/vis.php"; depth:13; nocase; http.host; content:"apelmerah.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509980/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/desk/index.php"; depth:15; nocase; http.host; content:"apelmerah.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509981/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509981; rev:1;) alert tcp $HOME_NET any -> [43.246.208.241] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509976/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509976; rev:1;) alert tcp $HOME_NET any -> [154.12.22.15] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509975/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509975; rev:1;) alert tcp $HOME_NET any -> [125.39.27.204] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509974/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509974; rev:1;) alert tcp $HOME_NET any -> [124.237.236.89] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509973/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509973; rev:1;) alert tcp $HOME_NET any -> [111.62.92.248] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509972/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"102.97.107.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509970/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"c2.trollers.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509969/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509969; rev:1;) alert tcp $HOME_NET any -> [52.21.173.197] 33060 (msg:"ThreatFox BlackShades botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509968/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509968; rev:1;) alert tcp $HOME_NET any -> [212.87.221.57] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509967/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509967; rev:1;) alert tcp $HOME_NET any -> [196.251.72.237] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509965/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509965; rev:1;) alert tcp $HOME_NET any -> [167.71.13.103] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509966/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509966; rev:1;) alert tcp $HOME_NET any -> [39.105.197.12] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509964/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"scollonllc.it.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509961/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/work.txt"; depth:9; nocase; http.host; content:"moteev-biznis-man.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509962/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/confirmm2.com/capcha"; depth:21; nocase; http.host; content:"89.23.107.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509963/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509963; rev:1;) alert tcp $HOME_NET any -> [87.251.78.239] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509960/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509960; rev:1;) alert tcp $HOME_NET any -> [13.112.11.137] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509959/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509959; rev:1;) alert tcp $HOME_NET any -> [18.139.236.62] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509958/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509958; rev:1;) alert tcp $HOME_NET any -> [35.87.33.198] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509957/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509957; rev:1;) alert tcp $HOME_NET any -> [187.63.105.68] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509956/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509956; rev:1;) alert tcp $HOME_NET any -> [84.247.153.54] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509953/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509953; rev:1;) alert tcp $HOME_NET any -> [120.46.199.181] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509952/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509952; rev:1;) alert tcp $HOME_NET any -> [202.146.218.74] 2024 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509951/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509951; rev:1;) alert tcp $HOME_NET any -> [47.122.55.128] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509949/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509949; rev:1;) alert tcp $HOME_NET any -> [113.45.225.150] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509950/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509950; rev:1;) alert tcp $HOME_NET any -> [8.137.108.138] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509948/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509948; rev:1;) alert tcp $HOME_NET any -> [107.173.60.107] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509947/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509947; rev:1;) alert tcp $HOME_NET any -> [1.94.249.10] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509946/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oigbh"; depth:6; nocase; http.host; content:"wawrhamer.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509944/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"wquilltayle.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509945/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dugg"; depth:5; nocase; http.host; content:"polandecor.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509943/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsooz"; depth:6; nocase; http.host; content:"dsalaccgfa.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509942/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509942; rev:1;) alert tcp $HOME_NET any -> [189.140.47.222] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509940/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"access-apollo-page.r-e.kr"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509938/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"access-apollo-star7.kro.kr"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509939/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/help/show.php"; depth:20; nocase; http.host; content:"star7.kro.kr"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509935/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/img/show.php"; depth:19; nocase; http.host; content:"star7.kro.kr"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509936/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebin/include.php"; depth:18; nocase; http.host; content:"www.sign.in.mogovernts.kro.kr"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509937/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509937; rev:1;) alert tcp $HOME_NET any -> [91.209.135.231] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509929; rev:1;) alert tcp $HOME_NET any -> [65.1.112.156] 5903 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509928; rev:1;) alert tcp $HOME_NET any -> [13.203.210.189] 2082 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509926; rev:1;) alert tcp $HOME_NET any -> [65.1.112.156] 47703 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509927; rev:1;) alert tcp $HOME_NET any -> [179.61.147.46] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509925; rev:1;) alert tcp $HOME_NET any -> [45.79.145.180] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509924; rev:1;) alert tcp $HOME_NET any -> [176.143.53.10] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509922; rev:1;) alert tcp $HOME_NET any -> [196.251.81.249] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509923/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509923; rev:1;) alert tcp $HOME_NET any -> [116.204.34.3] 8090 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509921; rev:1;) alert tcp $HOME_NET any -> [198.135.50.66] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/40b9327d1599486cb928d9d8654f8667.txt"; depth:37; nocase; http.host; content:"vynen.icu"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3e4ab3f83f4a4f09a53d0f2b390d3470.txt"; depth:37; nocase; http.host; content:"vynen.icu"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509918; rev:1;) alert tcp $HOME_NET any -> [116.202.6.216] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.6.216"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"102.98.85.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509907/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509907; rev:1;) alert tcp $HOME_NET any -> [185.215.113.59] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509906/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509906; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 25009 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509895/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rayishim-25009.portmap.io"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509896/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"faqyw.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509901/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"meerkaty.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509899/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bisonq.live"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509900/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"kriegerspub.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509897/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"talklc.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509898/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"including-briefly.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509893/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"may-biol.gl.at.ply.gg"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509894/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509894; rev:1;) alert tcp $HOME_NET any -> [45.83.207.17] 3158 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509892/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"89.portmap.io"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509891/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"is-avi.gl.at.ply.gg"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509890/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/award.pdf.exe"; depth:14; nocase; http.host; content:"alien-training.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509889/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ea2cb15d61cc476f.php"; depth:21; nocase; http.host; content:"88.214.48.93"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509888/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"naturesartgistry.today"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509887/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509887; rev:1;) alert tcp $HOME_NET any -> [185.165.171.21] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509886/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509886; rev:1;) alert tcp $HOME_NET any -> [188.50.9.48] 1337 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509885/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509885; rev:1;) alert tcp $HOME_NET any -> [65.2.82.33] 32764 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509884/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509884; rev:1;) alert tcp $HOME_NET any -> [146.70.213.35] 8089 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509883/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509883; rev:1;) alert tcp $HOME_NET any -> [14.225.207.73] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509882/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509882; rev:1;) alert tcp $HOME_NET any -> [96.9.213.106] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509878/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509878; rev:1;) alert tcp $HOME_NET any -> [159.65.52.75] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509879/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509879; rev:1;) alert tcp $HOME_NET any -> [46.3.98.7] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509880/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509880; rev:1;) alert tcp $HOME_NET any -> [36.227.128.128] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509881/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509881; rev:1;) alert tcp $HOME_NET any -> [121.40.127.134] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509877/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509877; rev:1;) alert tcp $HOME_NET any -> [1.94.183.238] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509876/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509876; rev:1;) alert tcp $HOME_NET any -> [175.24.172.135] 8800 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509875/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509875; rev:1;) alert tcp $HOME_NET any -> [129.211.28.15] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509874/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wizu"; depth:5; nocase; http.host; content:"longitudde.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509873/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teui"; depth:5; nocase; http.host; content:"latitudert.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509872/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytus"; depth:5; nocase; http.host; content:"kpiratetwrath.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509871/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reiq"; depth:5; nocase; http.host; content:"equatorf.run"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509869/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xapp"; depth:5; nocase; http.host; content:"hemispherexz.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509870/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"dstarofliught.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509868/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbud"; depth:5; nocase; http.host; content:"climatologfy.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509867/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pocof.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509855/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dy5h4kus/index.php"; depth:19; nocase; http.host; content:"185.215.113.59"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509866/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509866; rev:1;) alert tcp $HOME_NET any -> [116.204.159.27] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509865/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509865; rev:1;) alert tcp $HOME_NET any -> [8.212.11.156] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509864/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509864; rev:1;) alert tcp $HOME_NET any -> [116.204.159.29] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509863/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509863; rev:1;) alert tcp $HOME_NET any -> [154.205.157.109] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509861/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509861; rev:1;) alert tcp $HOME_NET any -> [8.209.36.249] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509862/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509862; rev:1;) alert tcp $HOME_NET any -> [43.142.73.196] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509859/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509859; rev:1;) alert tcp $HOME_NET any -> [47.103.81.25] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509860/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509860; rev:1;) alert tcp $HOME_NET any -> [116.204.159.28] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509858/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"partdet-id839847.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509856/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"booking.partdet-id839847.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509857/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509857; rev:1;) alert tcp $HOME_NET any -> [216.126.229.225] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509800/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509800; rev:1;) alert tcp $HOME_NET any -> [216.126.229.225] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509801/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509801; rev:1;) alert tcp $HOME_NET any -> [195.201.169.56] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509802/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509802; rev:1;) alert tcp $HOME_NET any -> [134.199.189.31] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509799/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509799; rev:1;) alert tcp $HOME_NET any -> [170.64.135.80] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509797/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509797; rev:1;) alert tcp $HOME_NET any -> [47.117.80.19] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509798/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509798; rev:1;) alert tcp $HOME_NET any -> [52.57.8.37] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509794/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509794; rev:1;) alert tcp $HOME_NET any -> [13.233.63.18] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509795/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509795; rev:1;) alert tcp $HOME_NET any -> [144.202.30.61] 13333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509796/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509796; rev:1;) alert tcp $HOME_NET any -> [52.57.8.37] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509793/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509793; rev:1;) alert tcp $HOME_NET any -> [5.135.167.150] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509792/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509792; rev:1;) alert tcp $HOME_NET any -> [13.60.219.249] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509791/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509791; rev:1;) alert tcp $HOME_NET any -> [117.72.56.12] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509789/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509789; rev:1;) alert tcp $HOME_NET any -> [162.220.11.155] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509790/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509790; rev:1;) alert tcp $HOME_NET any -> [23.146.40.13] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509788/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509788; rev:1;) alert tcp $HOME_NET any -> [45.33.7.49] 8081 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509787/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509787; rev:1;) alert tcp $HOME_NET any -> [45.33.7.49] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509786/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509786; rev:1;) alert tcp $HOME_NET any -> [51.15.194.103] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509784/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509784; rev:1;) alert tcp $HOME_NET any -> [45.33.7.49] 9443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509785/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509785; rev:1;) alert tcp $HOME_NET any -> [27.124.20.194] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509783/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509783; rev:1;) alert tcp $HOME_NET any -> [207.244.236.115] 44567 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509782/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509782; rev:1;) alert tcp $HOME_NET any -> [18.188.51.6] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509779/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509779; rev:1;) alert tcp $HOME_NET any -> [38.54.16.144] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509780/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509780; rev:1;) alert tcp $HOME_NET any -> [176.65.144.95] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509778/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509778; rev:1;) alert tcp $HOME_NET any -> [151.242.63.186] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509777/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-123-249-34-118.compute.hwclouds-dns.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509774/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-1-92-78-64.compute.hwclouds-dns.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509775/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"venusgrou.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509776/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509776; rev:1;) alert tcp $HOME_NET any -> [66.42.92.55] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509773/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 25%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzmxnze5mjexy2q3/"; depth:18; nocase; http.host; content:"hizliveguvenserviceds.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509740/; target:src_ip; metadata: confidence_level 25, first_seen 2025_04_22; classtype:trojan-activity; sid:91509740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 25%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzmxnze5mjexy2q3/"; depth:18; nocase; http.host; content:"hizliveguvenmserviceds.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509739/; target:src_ip; metadata: confidence_level 25, first_seen 2025_04_22; classtype:trojan-activity; sid:91509739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 25%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzmxnze5mjexy2q3/"; depth:18; nocase; http.host; content:"hizliveguvenimserviceds.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509738/; target:src_ip; metadata: confidence_level 25, first_seen 2025_04_22; classtype:trojan-activity; sid:91509738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 25%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkno"; depth:5; nocase; http.host; content:"gorillao.digital"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509732/; target:src_ip; metadata: confidence_level 25, first_seen 2025_04_22; classtype:trojan-activity; sid:91509732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 25%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzmxnze5mjexy2q3/"; depth:18; nocase; http.host; content:"5hizliveguvenserviceds.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509742/; target:src_ip; metadata: confidence_level 25, first_seen 2025_04_22; classtype:trojan-activity; sid:91509742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 25%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzmxnze5mjexy2q3/"; depth:18; nocase; http.host; content:"33hizliveguvenserviceds.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509741/; target:src_ip; metadata: confidence_level 25, first_seen 2025_04_22; classtype:trojan-activity; sid:91509741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzmxnze5mjexy2q3/"; depth:18; nocase; http.host; content:"hizliveguvenserviceds.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509746/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzmxnze5mjexy2q3/"; depth:18; nocase; http.host; content:"hizliveguvenimserviceds.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509744/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzmxnze5mjexy2q3/"; depth:18; nocase; http.host; content:"hizliveguvenmserviceds.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509745/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzmxnze5mjexy2q3/"; depth:18; nocase; http.host; content:"33hizliveguvenserviceds.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509747/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzmxnze5mjexy2q3/"; depth:18; nocase; http.host; content:"5hizliveguvenserviceds.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509748/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"67.215.225.205"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509749/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ow5dirasuek.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509692/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mkkuei4kdsz.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509693/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lousta.net"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509694/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kitikixoroshie-23612.portmap.io"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"umpmfss.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509720/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/index.php"; depth:16; nocase; http.host; content:"umpmfss.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/loop.js"; depth:14; nocase; http.host; content:"umpmfss.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509722/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/vis.php"; depth:14; nocase; http.host; content:"umpmfss.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/vi.php"; depth:13; nocase; http.host; content:"manwithedhelp.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509724/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509724; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 23612 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509673; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 51048 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509678/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jrtersdfg.pages.dev"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/desk/loop.js"; depth:13; nocase; http.host; content:"fuckhdmov.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fuckhdmov.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/desk/select.js"; depth:15; nocase; http.host; content:"fuckhdmov.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/desk/vis.php"; depth:13; nocase; http.host; content:"fuckhdmov.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509651/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/key.zip"; depth:8; nocase; http.host; content:"itradepay.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509652/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"itradepay.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509653; rev:1;) alert tcp $HOME_NET any -> [94.158.245.81] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4w2e.js"; depth:8; nocase; http.host; content:"nettixx.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509655/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nettixx.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509656/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"nettixx.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509657/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dashes.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509658/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boostcmc.run"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"886132-coinbase.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509639/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bookviewreserves.click"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"betiv.fun"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509574/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h1.wieldercherub.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509604/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kajec.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509572/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rhfvjck.pages.dev"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.freein-deed.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509568/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"newtsda.digital"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509530/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"snailzg.digital"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509531/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"crabw.digital"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509532/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"whippetzx.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509533/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zebrai.digital"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509534/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hedgehocvg.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509535/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tapiretre.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509536/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dolphine.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509537/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ferretwq.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509538/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"remorar.digital"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509539/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"slothwe.digital"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509540/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"goldfisher.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509541/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509541; rev:1;) alert tcp $HOME_NET any -> [38.54.6.120] 56001 (msg:"ThreatFox ResolverRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509850/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509850; rev:1;) alert tcp $HOME_NET any -> [192.30.241.106] 56001 (msg:"ThreatFox ResolverRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509851/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509851; rev:1;) alert tcp $HOME_NET any -> [38.54.6.120] 56002 (msg:"ThreatFox ResolverRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509852/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509852; rev:1;) alert tcp $HOME_NET any -> [38.54.6.120] 56003 (msg:"ThreatFox ResolverRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509853/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509853; rev:1;) alert tcp $HOME_NET any -> [192.30.241.106] 56003 (msg:"ThreatFox ResolverRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509854/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_22; classtype:trojan-activity; sid:91509854; rev:1;) alert tcp $HOME_NET any -> [217.18.210.168] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509803/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509803; rev:1;) alert tcp $HOME_NET any -> [51.89.54.13] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509781/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509781; rev:1;) alert tcp $HOME_NET any -> [8.149.139.253] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509771/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509771; rev:1;) alert tcp $HOME_NET any -> [47.254.74.170] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509770/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509770; rev:1;) alert tcp $HOME_NET any -> [43.139.124.56] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509769/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"8y1h12ay4vt22.cfc-execute.gz.baidubce.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509768/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_22; classtype:trojan-activity; sid:91509768; rev:1;) alert tcp $HOME_NET any -> [34.207.181.116] 17369 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509766/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509766; rev:1;) alert tcp $HOME_NET any -> [52.78.63.138] 26319 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509767/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509767; rev:1;) alert tcp $HOME_NET any -> [157.20.182.68] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509764/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509764; rev:1;) alert tcp $HOME_NET any -> [80.225.221.151] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509765/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509765; rev:1;) alert tcp $HOME_NET any -> [213.152.162.74] 7513 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509763/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msfed.socalmediazone.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509762/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509762; rev:1;) alert tcp $HOME_NET any -> [45.81.23.48] 1888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509760/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509760; rev:1;) alert tcp $HOME_NET any -> [141.98.11.26] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509761/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509761; rev:1;) alert tcp $HOME_NET any -> [85.9.204.226] 4443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509759/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509759; rev:1;) alert tcp $HOME_NET any -> [47.102.209.177] 8389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509758/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509758; rev:1;) alert tcp $HOME_NET any -> [192.252.176.54] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509757/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_22; classtype:trojan-activity; sid:91509757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ej2a599x7hw7j.cfc-execute.su.baidubce.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509756/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ajs.july.cc"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509755/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509755; rev:1;) alert tcp $HOME_NET any -> [69.55.62.10] 8080 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509713/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509713; rev:1;) alert tcp $HOME_NET any -> [69.55.62.10] 8081 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509714/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509714; rev:1;) alert tcp $HOME_NET any -> [185.158.248.206] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509712/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509712; rev:1;) alert tcp $HOME_NET any -> [85.103.143.121] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509710/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509710; rev:1;) alert tcp $HOME_NET any -> [52.143.143.239] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509709/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509709; rev:1;) alert tcp $HOME_NET any -> [47.93.135.155] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509708/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509708; rev:1;) alert tcp $HOME_NET any -> [191.112.11.31] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509705/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509705; rev:1;) alert tcp $HOME_NET any -> [14.225.33.238] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509703/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509703; rev:1;) alert tcp $HOME_NET any -> [138.197.61.237] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509702/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509702; rev:1;) alert tcp $HOME_NET any -> [95.164.38.201] 443 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509691/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509691; rev:1;) alert tcp $HOME_NET any -> [35.180.71.126] 9300 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509689; rev:1;) alert tcp $HOME_NET any -> [35.180.71.126] 7000 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509690; rev:1;) alert tcp $HOME_NET any -> [35.181.61.21] 20095 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.x-fx.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509687; rev:1;) alert tcp $HOME_NET any -> [88.119.175.233] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"office300.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-233-246-131.ap-south-1.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509684; rev:1;) alert tcp $HOME_NET any -> [80.66.81.75] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509683; rev:1;) alert tcp $HOME_NET any -> [83.217.209.186] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509682; rev:1;) alert tcp $HOME_NET any -> [196.251.115.43] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509680; rev:1;) alert tcp $HOME_NET any -> [206.71.149.182] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509681; rev:1;) alert tcp $HOME_NET any -> [49.113.74.158] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509679/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509679; rev:1;) alert tcp $HOME_NET any -> [47.109.206.114] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509647/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509647; rev:1;) alert tcp $HOME_NET any -> [38.95.173.116] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509645/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509645; rev:1;) alert tcp $HOME_NET any -> [38.95.173.116] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509646/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509646; rev:1;) alert tcp $HOME_NET any -> [166.88.61.35] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509644/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509644; rev:1;) alert tcp $HOME_NET any -> [166.88.61.35] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509643/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509643; rev:1;) alert tcp $HOME_NET any -> [1.94.105.194] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509642/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsoz"; depth:5; nocase; http.host; content:"vporcupineq.digital"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509640/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509640; rev:1;) alert tcp $HOME_NET any -> [176.120.66.174] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509637/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509637; rev:1;) alert tcp $HOME_NET any -> [51.44.8.103] 15000 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509636/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509636; rev:1;) alert tcp $HOME_NET any -> [172.190.216.61] 8081 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509635/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509635; rev:1;) alert tcp $HOME_NET any -> [47.242.209.239] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509634/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509634; rev:1;) alert tcp $HOME_NET any -> [20.255.61.139] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509633/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509633; rev:1;) alert tcp $HOME_NET any -> [152.53.55.12] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509632/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509632; rev:1;) alert tcp $HOME_NET any -> [104.245.106.30] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509631/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509631; rev:1;) alert tcp $HOME_NET any -> [13.217.2.22] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509630/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509630; rev:1;) alert tcp $HOME_NET any -> [172.81.132.221] 2121 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509629; rev:1;) alert tcp $HOME_NET any -> [176.65.139.78] 1952 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509626/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509626; rev:1;) alert tcp $HOME_NET any -> [196.251.115.182] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509627/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509627; rev:1;) alert tcp $HOME_NET any -> [107.172.4.163] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509628/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509628; rev:1;) alert tcp $HOME_NET any -> [101.35.6.67] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509625/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509625; rev:1;) alert tcp $HOME_NET any -> [94.72.104.145] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509624/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ns2.cmbsxfvpnsupport.website"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509616/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ns1.cmbsxfvpnsupport.website"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509615/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509615; rev:1;) alert tcp $HOME_NET any -> [8.154.40.38] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509614; rev:1;) alert tcp $HOME_NET any -> [39.106.159.206] 10086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509613/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509613; rev:1;) alert tcp $HOME_NET any -> [113.44.255.118] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509612/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a1115545.xsph.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509609/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a1116616.xsph.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509610/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a1111976.xsph.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509607/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a1111617.xsph.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509608/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a1112024.xsph.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509606/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a1111903.xsph.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509605/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"textilmarkt.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509603/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509603; rev:1;) alert tcp $HOME_NET any -> [195.206.234.30] 8041 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509602/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509602; rev:1;) alert tcp $HOME_NET any -> [196.251.80.109] 6969 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509601/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"background-estates.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509600/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509600; rev:1;) alert tcp $HOME_NET any -> [45.144.214.123] 6374 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509599/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"carolina-candles.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509598/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509598; rev:1;) alert tcp $HOME_NET any -> [3.25.125.234] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509596/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509596; rev:1;) alert tcp $HOME_NET any -> [31.223.72.70] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509597/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"v31v2x.ssafileaccess.ru"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509595/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509595; rev:1;) alert tcp $HOME_NET any -> [62.60.226.233] 3000 (msg:"ThreatFox Unknown Loader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509594/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509594; rev:1;) alert tcp $HOME_NET any -> [136.144.164.95] 8166 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509593/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509593; rev:1;) alert tcp $HOME_NET any -> [147.50.253.154] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509592/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509592; rev:1;) alert tcp $HOME_NET any -> [56.228.3.202] 4282 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509591/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509591; rev:1;) alert tcp $HOME_NET any -> [60.17.4.86] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509590/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509590; rev:1;) alert tcp $HOME_NET any -> [38.148.241.220] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509587/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509587; rev:1;) alert tcp $HOME_NET any -> [84.46.248.162] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509588/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509588; rev:1;) alert tcp $HOME_NET any -> [4.201.201.54] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509589/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509589; rev:1;) alert tcp $HOME_NET any -> [15.223.196.63] 50100 (msg:"ThreatFox BlackShades botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509583/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509583; rev:1;) alert tcp $HOME_NET any -> [15.223.196.63] 8500 (msg:"ThreatFox BlackShades botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509584/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509584; rev:1;) alert tcp $HOME_NET any -> [15.223.196.63] 8200 (msg:"ThreatFox BlackShades botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509585/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509585; rev:1;) alert tcp $HOME_NET any -> [15.223.196.63] 17000 (msg:"ThreatFox BlackShades botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509586/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509586; rev:1;) alert tcp $HOME_NET any -> [15.223.196.63] 50000 (msg:"ThreatFox BlackShades botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509582/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509582; rev:1;) alert tcp $HOME_NET any -> [152.136.17.91] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509581/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509581; rev:1;) alert tcp $HOME_NET any -> [115.120.232.177] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509580/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509580; rev:1;) alert tcp $HOME_NET any -> [123.60.215.96] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509579/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509579; rev:1;) alert tcp $HOME_NET any -> [123.207.42.139] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509578/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509578; rev:1;) alert tcp $HOME_NET any -> [115.175.67.174] 1111 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509577/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509577; rev:1;) alert tcp $HOME_NET any -> [43.134.118.235] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509575/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509575; rev:1;) alert tcp $HOME_NET any -> [113.45.247.72] 9527 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509576/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509576; rev:1;) alert tcp $HOME_NET any -> [185.156.175.60] 42827 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509569/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509569; rev:1;) alert tcp $HOME_NET any -> [152.136.17.91] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509567/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"70.40.41.125"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509566/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geps"; depth:5; nocase; http.host; content:"vchangeaie.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509565/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeda"; depth:5; nocase; http.host; content:"8zestmodp.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509564/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509564; rev:1;) alert tcp $HOME_NET any -> [47.119.142.39] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509563/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509563; rev:1;) alert tcp $HOME_NET any -> [54.232.61.174] 44818 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509560/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509560; rev:1;) alert tcp $HOME_NET any -> [18.215.167.6] 104 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509561/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509561; rev:1;) alert tcp $HOME_NET any -> [18.215.167.6] 2454 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509562; rev:1;) alert tcp $HOME_NET any -> [54.232.61.174] 29618 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509559/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509559; rev:1;) alert tcp $HOME_NET any -> [84.32.25.119] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509558/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509558; rev:1;) alert tcp $HOME_NET any -> [82.147.88.84] 15747 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509557/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509557; rev:1;) alert tcp $HOME_NET any -> [128.90.106.169] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509553/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509553; rev:1;) alert tcp $HOME_NET any -> [128.90.106.169] 4000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509554/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509554; rev:1;) alert tcp $HOME_NET any -> [128.90.106.169] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509555/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509555; rev:1;) alert tcp $HOME_NET any -> [196.251.116.131] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509556/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509556; rev:1;) alert tcp $HOME_NET any -> [176.65.144.95] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509551/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509551; rev:1;) alert tcp $HOME_NET any -> [23.227.167.188] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509552/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509552; rev:1;) alert tcp $HOME_NET any -> [189.142.53.80] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509550/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip143.ip-51-195-193.eu"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509549/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509549; rev:1;) alert tcp $HOME_NET any -> [115.120.196.108] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509548/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509548; rev:1;) alert tcp $HOME_NET any -> [42.192.114.39] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509547/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509547; rev:1;) alert tcp $HOME_NET any -> [43.139.124.56] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509544/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509544; rev:1;) alert tcp $HOME_NET any -> [43.139.124.56] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509545/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509545; rev:1;) alert tcp $HOME_NET any -> [111.124.203.18] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509546/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509546; rev:1;) alert tcp $HOME_NET any -> [8.212.124.162] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509542/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509542; rev:1;) alert tcp $HOME_NET any -> [121.37.23.116] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509543/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spring-plasma.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509511/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"total-enclosure.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509512/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"j-sic.gl.at.ply.gg"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509513/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xd2006xdtg17-61169.portmap.host"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509514/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haiderali-41746.portmap.io"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509515/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"famatec840-20359.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509516/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paper-shot.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509517/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"businesses-standing.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509518/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ma-toddler.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509519/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cases-justin.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509520/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"store-trust.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509521/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ilovecatgirlsowo-29235.portmap.io"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509522/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bahu44-55990.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509523/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"domain-elizabeth.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509524/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gandoebmanda-32810.portmap.host"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509525/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"might-sexuality.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509526/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509526; rev:1;) alert tcp $HOME_NET any -> [191.243.161.204] 7771 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509502/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509502; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 1488 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509503/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509503; rev:1;) alert tcp $HOME_NET any -> [144.126.128.15] 5555 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509504/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509504; rev:1;) alert tcp $HOME_NET any -> [45.138.16.120] 6060 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509505/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509505; rev:1;) alert tcp $HOME_NET any -> [62.146.233.100] 3343 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509506/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509506; rev:1;) alert tcp $HOME_NET any -> [45.88.79.231] 7771 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509507/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"forum-audit.at.ply.gg"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509508/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mission-travel.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509509/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"inn-pleased.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509510/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rrr.shenron.pw"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509500/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509500; rev:1;) alert tcp $HOME_NET any -> [138.199.47.202] 4444 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509501/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mirai666.chickenkiller.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509497/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnetci31.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509498/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.phatdepzai.site"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509499/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdup75.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509475/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ac4tnt.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509476/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omar22.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509477/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bozkurtdesign.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509478/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hkr0550.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509479/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmedps.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509480/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zkb5nhlzapata36.zapto.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509481/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xialscox.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509482/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scctor.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509483/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"listaa7bkmoot.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509484/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"listahkrmoot.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509485/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thuthuatgame.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509486/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scdscd.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509487/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xzzx.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509488/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sls-2.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509489/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cantotu.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509490/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zipik2.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509491/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ashrarh.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509492/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"al3aqrbawi.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509493/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cobra.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509494/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lethal.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509495/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"demon5551.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509496/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serverus.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509469/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wire.mine.nu"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509470/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dico.is-very-bad.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509471/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x40.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509472/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tmemee.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509473/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emerlim2.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509474/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509474; rev:1;) alert tcp $HOME_NET any -> [174.127.99.169] 85 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509455/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509455; rev:1;) alert tcp $HOME_NET any -> [94.178.92.5] 81 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509456/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509456; rev:1;) alert tcp $HOME_NET any -> [99.99.166.46] 3085 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509457/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509457; rev:1;) alert tcp $HOME_NET any -> [94.225.115.130] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509458/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509458; rev:1;) alert tcp $HOME_NET any -> [77.102.210.169] 80 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509459/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509459; rev:1;) alert tcp $HOME_NET any -> [185.246.113.248] 5555 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509460/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509460; rev:1;) alert tcp $HOME_NET any -> [86.120.144.30] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509461/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509461; rev:1;) alert tcp $HOME_NET any -> [203.109.175.203] 100 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509462/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509462; rev:1;) alert tcp $HOME_NET any -> [88.85.140.114] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509463/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509463; rev:1;) alert tcp $HOME_NET any -> [89.153.208.118] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509464/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509464; rev:1;) alert tcp $HOME_NET any -> [78.219.82.2] 52 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509465/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509465; rev:1;) alert tcp $HOME_NET any -> [207.47.155.23] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509466/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509466; rev:1;) alert tcp $HOME_NET any -> [5.3.190.194] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509467/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509467; rev:1;) alert tcp $HOME_NET any -> [108.59.12.68] 77 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509468/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bellen123.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509442/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ienemy.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509443/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drk1.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509444/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amoresperros.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509445/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"birouamar.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509446/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amine10.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509447/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cryptexlite.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509448/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"masan3033.3322.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509449/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sie.myvnc.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509450/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testehff.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509451/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"havefunscape.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509452/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ziddi-rajput1.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509453/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mryandao.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509454/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"486.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509418/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thisismyhost.bounceme.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"barca123.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509420/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noip81.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"benzin.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dxoop590.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"james7461.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"youtube123.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509425/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lololtenis.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509426/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crypter121.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509427/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyberdark.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509428/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker4life.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509429/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bjkliardii.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509430/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smellyrat.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509431/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dylz-h4ck.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509432/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soupspoon.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509433/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ichsage.hopto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509434/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ynnah.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509435/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"donar5551122.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509436/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"podead.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509437/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"looker.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509438/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guari10.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509439/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"inrisi.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509440/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"callofduty.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509441/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"forced.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freersgold.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abrakadabra.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"privatecoisas.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7koma.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jiggle.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"queadx.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dc1604.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h5n1.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trapperbrrrat.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509402/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iamasspee.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509403/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"segma12.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509404/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anotherlifehack.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509405/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"absolute2011.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509406/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"29a.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509407/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anonymousxbang.no-ip.info"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509408/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elpida.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skaar-ssss.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-station.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509411/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myronsqueal.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509412/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mishoo.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkcometratboi.no-ip.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509414/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dabeastb0ss.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509415/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkcometohiskillz.no-ip.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509416/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"21egroeg.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509417/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unknownservice.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509370/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alonelydmrist.no-ip.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rawezhhacker.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509372/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v63.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509373/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smooks.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509374/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"idconfirm.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509375/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rat-h4ck3r.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509376/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jokerrrr.on-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509377/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qaz.no-ip.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509378/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"folces.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509379/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aatesting.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baileyiscless.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"opiate.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509382/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"techhdproductionz.no-ip.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509383/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"n3v3rm1nd.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509384/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lolarne.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509385/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naoruim.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509386/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nasadude12.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509387/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noctysse.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509388/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newasd2000.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509389/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guiullervidaloka.no-ip.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crashmob.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atrixstic.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iipod2010.eicp.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509346/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hotomansito.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509347/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xtechnox.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509348/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suckmaboolz.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509349/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dc15.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509350/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pacemaker.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509351/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sir999.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509352/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ebineshax.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509353/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boottheworld.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509354/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serverflorida1.no-ip.info"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509355/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awaismalik.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509356/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atmasyon.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509357/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"impulse.dyndns-mail.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509358/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kentotdia.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509359/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doizece.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509360/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lastdede.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509361/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"77636.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509362/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testovi.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509363/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dasdasasd.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509364/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"n4w.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509365/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eelghali.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509366/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cerealkiller.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509367/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moihost.dyndns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509368/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guixnoip.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509369/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509369; rev:1;) alert tcp $HOME_NET any -> [176.65.143.172] 12345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509343/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509343; rev:1;) alert tcp $HOME_NET any -> [167.71.202.74] 3131 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509344/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"akim570.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509345/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509345; rev:1;) alert tcp $HOME_NET any -> [82.152.90.146] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509334/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509334; rev:1;) alert tcp $HOME_NET any -> [93.115.172.234] 6667 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509335/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509335; rev:1;) alert tcp $HOME_NET any -> [176.65.143.222] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509336/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509336; rev:1;) alert tcp $HOME_NET any -> [94.103.188.118] 12345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509337/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509337; rev:1;) alert tcp $HOME_NET any -> [147.135.248.108] 158 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509338/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509338; rev:1;) alert tcp $HOME_NET any -> [176.65.144.35] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509339/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509339; rev:1;) alert tcp $HOME_NET any -> [185.232.204.60] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509340/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509340; rev:1;) alert tcp $HOME_NET any -> [94.154.34.47] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509341/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509341; rev:1;) alert tcp $HOME_NET any -> [45.125.66.205] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509342/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509342; rev:1;) alert tcp $HOME_NET any -> [94.247.172.67] 999 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509323/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509323; rev:1;) alert tcp $HOME_NET any -> [88.181.114.175] 3726 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509324/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509324; rev:1;) alert tcp $HOME_NET any -> [80.59.134.144] 33031 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509325/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509325; rev:1;) alert tcp $HOME_NET any -> [108.231.94.28] 999 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509326/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509326; rev:1;) alert tcp $HOME_NET any -> [41.201.104.29] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509327/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509327; rev:1;) alert tcp $HOME_NET any -> [80.59.134.144] 50023 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509328/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509328; rev:1;) alert tcp $HOME_NET any -> [70.119.47.205] 7332 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509329/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509329; rev:1;) alert tcp $HOME_NET any -> [83.81.84.239] 1337 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509330/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509330; rev:1;) alert tcp $HOME_NET any -> [195.250.178.84] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509331/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509331; rev:1;) alert tcp $HOME_NET any -> [88.235.195.186] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509332/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509332; rev:1;) alert tcp $HOME_NET any -> [198.162.1.3] 80 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509333/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrixoodz.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509320/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"takkenrakker.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509321/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xvelaa.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509322/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lmg1234.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509297/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dadypop.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509298/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atsuki.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orientseikko.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"y7c.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509301/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"albundy79.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zero-x.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahnungslos.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rambo2012.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509305/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chuscarros.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509306/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"salumm.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509307/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alsn3osy.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509308/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"partyinhell.myftp.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509309/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybersimple.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509310/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tumadreetupadre.servecounterstrike.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509311/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r3x3r.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509312/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ourchuha.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509313/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myfreegirls.myphotos.cc"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509314/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cieb.3322.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509315/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zerotrojan93.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509316/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coolsam.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509317/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dominican12345.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509318/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"djbobolo.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509319/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"f3r.no-ip.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509272/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"camsxbox.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509273/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plutonium.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509274/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"waraven.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509275/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"premiertestlol.zapto.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyberintrox.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509277/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"razame.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509278/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"banlieu451.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509279/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"butch88.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509280/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vinnicom2enes.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509281/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nicolas123123.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509282/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wesooo.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509283/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cino123.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509284/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"13pro37.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509285/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alatas.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509286/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tolly.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509287/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7upkarl.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509288/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergateblim.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509289/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dotsis.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509290/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"winshark.dyndns-home.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509291/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kelebek.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bofr7.no.ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dadypopjava.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pipk.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"winshark.dyndns-mail.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"readman.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509246/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aom-argentina.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509247/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pelita.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509248/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jedipies.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509249/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1s3.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509250/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nikohacker.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509251/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1337legendenbude.zapto.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509252/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alxxporsiempre.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509253/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cookiemonsterstd.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509254/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ziker.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509255/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crystal123.myftp.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509256/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goodleadds.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509257/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wekasw.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509258/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tered.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509259/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lovemyfame.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509260/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omfzgpeeksux.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509261/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxr.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509262/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trietop2.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beerry.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509264/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ww.servehttp.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509265/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nickwilging.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509266/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xegytigerx2.myftp.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509267/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windowsupdate9804.redirectme.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509268/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dukeson2.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509269/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noufiz1.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509270/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bam123.sytes.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509271/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"metcn54.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509234/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ameerpowwer.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509235/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morben.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509236/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"street-za.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509237/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergatedns.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509238/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"electrohqckernoip.zapto.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509239/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xttxer.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509240/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gabrielsilva123.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509241/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stylaa.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509242/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karpi.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509243/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rs3life.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509244/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sirlenam.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509245/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fremusic.servemp3.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509224/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"szlagi.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509225/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"purefighamod.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509226/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftpmac.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509227/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myemptyblog.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509228/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fannyfart.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509229/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sapala.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509230/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uiwq23hf42.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509231/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vvb.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509232/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rayane888.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4s4.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509198/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ownedl33t.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509199/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"faho0od.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509200/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"g00gl3.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509201/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xegytigerx.myftp.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509202/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"demon121.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509203/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slig.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509204/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"j44.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509205/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkmrch.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509206/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anonym-pc.dyndns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509207/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bojan4e90.servebeer.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509208/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"titos.myvnc.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509209/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test4rt.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509210/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smelino.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509211/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmad1122.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509212/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerbrejo1.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509213/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker2danger.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509214/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anabolic.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509215/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kralemre.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509216/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lucaswoods.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509217/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jeebuslmao.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509218/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"winshark.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509219/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"killerciaotest.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509220/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kingmoker.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509221/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ysyx.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509222/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stayka003.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509223/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hinajaben.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509173/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bicrav.dyndns.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509174/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stphn.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509175/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohamed.sytes.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509176/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"worldofbinaryserv.zapto.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509177/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adel001.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509178/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hav3nt.np-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509179/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tinkernut.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509180/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"runescape-brute.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509181/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jaer83.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509182/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackedbyme.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509183/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iamliaoyusheng.gicp.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509184/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arnst.3322.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509185/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ozgur001122.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plasticpac.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509187/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"namehost42.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509188/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"francia1999.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509189/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratabuster.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoftcorp.serveftp.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509191/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"access222.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509192/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thekingomar.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509193/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vurtne.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509194/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"francia1998.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509195/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft-info.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509196/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xmail.dyndns.tv"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509197/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erikssick.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"harit.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"glen120307.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dariooo1.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ackraizo.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arif1.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adonarr.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shushumiga.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"braian2.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loolhack.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"addictinggames.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rshks.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"franciaamil.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leshnik.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rokutukas.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sananelan.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"massama-spy.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"youtubes.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"killer-pro.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"server00000.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proyectoinfection.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gseggtr.selfip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hmodei.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morgo.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"polyhack.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dragondz-aflou.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509171/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coldcode.servegame.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509172/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qyr78wfya85.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vaudraqjdarrion.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zie96irmad.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"settingsline.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwerty123.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heslip.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"santer-flow.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"youtube11.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newcgdice.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mikethec.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mp32009.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dafuqdidjusthappen.zapto.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freepokerchips.sytes.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sadbird72.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bellika.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beispiel2.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"christiantony388.ddns.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malo2100.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"matic2230.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiznet.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"matic2230.ddnsfree.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marinjack44.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tsunamipapi.hopto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509128; rev:1;) alert tcp $HOME_NET any -> [91.193.75.138] 7690 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbtjvcnvspaxwpvfxynx17"; depth:23; nocase; http.host; content:"home.fivell5th.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jtnyqiiktqrjlpexvdad174"; depth:24; nocase; http.host; content:"home.sixbb6mn.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guduuglbfcehrylffbkg174"; depth:24; nocase; http.host; content:"home.onebb1mn.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509121; rev:1;) alert tcp $HOME_NET any -> [107.189.28.127] 58431 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509118/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hemispherexz.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"equatorf.run"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"latitudert.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509115; rev:1;) alert tcp $HOME_NET any -> [45.33.7.49] 8000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509042/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509042; rev:1;) alert tcp $HOME_NET any -> [45.33.7.49] 8090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509043/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509043; rev:1;) alert tcp $HOME_NET any -> [172.105.213.140] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509044/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509044; rev:1;) alert tcp $HOME_NET any -> [172.105.213.140] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509045/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509045; rev:1;) alert tcp $HOME_NET any -> [119.45.254.168] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509047/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509047; rev:1;) alert tcp $HOME_NET any -> [202.95.12.160] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509048/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509048; rev:1;) alert tcp $HOME_NET any -> [47.117.39.114] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509049; rev:1;) alert tcp $HOME_NET any -> [45.145.229.222] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509050/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509050; rev:1;) alert tcp $HOME_NET any -> [3.111.3.123] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509053/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509053; rev:1;) alert tcp $HOME_NET any -> [20.75.49.74] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509051; rev:1;) alert tcp $HOME_NET any -> [3.110.153.176] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509052/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509052; rev:1;) alert tcp $HOME_NET any -> [133.125.37.249] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509054; rev:1;) alert tcp $HOME_NET any -> [3.8.142.184] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509056/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509056; rev:1;) alert tcp $HOME_NET any -> [3.18.244.77] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509055; rev:1;) alert tcp $HOME_NET any -> [3.144.180.65] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509059/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509059; rev:1;) alert tcp $HOME_NET any -> [101.35.16.183] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509058; rev:1;) alert tcp $HOME_NET any -> [3.71.232.128] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509060/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509060; rev:1;) alert tcp $HOME_NET any -> [3.71.232.128] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509061; rev:1;) alert tcp $HOME_NET any -> [217.182.35.154] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"vkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd.onion"; depth:62; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509074/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cuuhrxbg52c5agytmtjpwfu7mrs4xtaitc4mukkiy2kqdxeqbcmuhaid.onion"; depth:62; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509075/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"4ldgw2wuidqu5ef3rzx4byonf3y7rdnh43jiw2z4sbtjiwic6gkov7yd.onion"; depth:62; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509076/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"zktnif5vckhmz5tyrukp5bamatbfhkxjnb23rspsanyzywcrx3bvtqad.onion"; depth:62; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509077/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"77nrxelcwh47yikvpaz2rvtsten4sen2elybo5r5st6wlxsbitv255qd.onion"; depth:62; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509078/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion"; depth:62; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509079/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"p6wmotxzvg34tdmpwm4beqgrcyp5iys43snkccsahnw74la3k3xx6pad.onion"; depth:62; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509080/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brain4zoadgr6clxecixffvxjsw43cflyprnpfeak72nfh664kqqriyd.onion"; depth:62; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509081/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cuuhrxbg52c5agytmtjpwfu7mrs4xtaitc4mukkiy2kqdxeqbcmuhaid.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509083/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"4ldgw2wuidqu5ef3rzx4byonf3y7rdnh43jiw2z4sbtjiwic6gkov7yd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509084/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"vkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509082/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zktnif5vckhmz5tyrukp5bamatbfhkxjnb23rspsanyzywcrx3bvtqad.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509085/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509087/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"77nrxelcwh47yikvpaz2rvtsten4sen2elybo5r5st6wlxsbitv255qd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509086/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"brain4zoadgr6clxecixffvxjsw43cflyprnpfeak72nfh664kqqriyd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509089/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"p6wmotxzvg34tdmpwm4beqgrcyp5iys43snkccsahnw74la3k3xx6pad.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509088/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_21; classtype:trojan-activity; sid:91509088; rev:1;) alert tcp $HOME_NET any -> [171.22.31.46] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509038/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509038; rev:1;) alert tcp $HOME_NET any -> [43.156.249.97] 6000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509039/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509039; rev:1;) alert tcp $HOME_NET any -> [91.245.255.53] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509040/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rnv.nxts.eu.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509041/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509041; rev:1;) alert tcp $HOME_NET any -> [104.168.7.12] 50572 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509037/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509037; rev:1;) alert tcp $HOME_NET any -> [63.133.222.220] 65122 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509033/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vpn2.hackcrack.io"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509034/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"192.210.175.31"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509012; rev:1;) alert tcp $HOME_NET any -> [193.233.237.109] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"check.letoq.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"morbulao.sbs"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91508996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"thefurrybazaar.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509000/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sound-designer-v21.pages.dev"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508995/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91508995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tracklist22.pages.dev"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508986/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91508986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"security-check-l2j4.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508987/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91508987; rev:1;) alert tcp $HOME_NET any -> [185.9.146.38] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509112/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509112; rev:1;) alert tcp $HOME_NET any -> [103.100.209.109] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509110; rev:1;) alert tcp $HOME_NET any -> [8.138.119.70] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509111; rev:1;) alert tcp $HOME_NET any -> [154.12.22.15] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509109; rev:1;) alert tcp $HOME_NET any -> [154.201.75.152] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509108; rev:1;) alert tcp $HOME_NET any -> [79.119.57.252] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509107/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509107; rev:1;) alert tcp $HOME_NET any -> [66.78.40.163] 46921 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509106/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/giabst"; depth:7; nocase; http.host; content:"sblackeblast.run"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509105/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vbs2"; depth:5; nocase; http.host; content:"10.2.61.145"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509104/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_21; classtype:trojan-activity; sid:91509104; rev:1;) alert tcp $HOME_NET any -> [47.109.206.114] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509103; rev:1;) alert tcp $HOME_NET any -> [18.180.239.207] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509102; rev:1;) alert tcp $HOME_NET any -> [18.156.77.132] 2000 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509100; rev:1;) alert tcp $HOME_NET any -> [18.156.77.132] 51200 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509101; rev:1;) alert tcp $HOME_NET any -> [63.176.170.74] 48382 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509098; rev:1;) alert tcp $HOME_NET any -> [13.231.249.197] 22305 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509099; rev:1;) alert tcp $HOME_NET any -> [196.251.118.210] 49998 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509097; rev:1;) alert tcp $HOME_NET any -> [163.172.125.253] 406 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509096; rev:1;) alert tcp $HOME_NET any -> [104.168.33.19] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509095; rev:1;) alert tcp $HOME_NET any -> [47.254.74.170] 13561 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509094; rev:1;) alert tcp $HOME_NET any -> [47.93.4.110] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509093; rev:1;) alert tcp $HOME_NET any -> [23.254.228.84] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509092; rev:1;) alert tcp $HOME_NET any -> [3.81.69.245] 5672 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509057; rev:1;) alert tcp $HOME_NET any -> [85.9.200.235] 4443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509046/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509046; rev:1;) alert tcp $HOME_NET any -> [185.193.125.249] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509032; rev:1;) alert tcp $HOME_NET any -> [176.100.36.71] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509031; rev:1;) alert tcp $HOME_NET any -> [15.168.164.74] 11102 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509030; rev:1;) alert tcp $HOME_NET any -> [13.214.141.247] 5432 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509028/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509028; rev:1;) alert tcp $HOME_NET any -> [18.228.26.120] 10813 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509029; rev:1;) alert tcp $HOME_NET any -> [193.83.224.70] 4444 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509027/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509027; rev:1;) alert tcp $HOME_NET any -> [207.244.236.115] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509026/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-47-128-167-206.ap-southeast-1.compute.amazonaws.com"; depth:55; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509025/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509025; rev:1;) alert tcp $HOME_NET any -> [192.46.223.145] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509024/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sslassla.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509023; rev:1;) alert tcp $HOME_NET any -> [194.26.192.232] 7077 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509021; rev:1;) alert tcp $HOME_NET any -> [196.251.115.136] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509022; rev:1;) alert tcp $HOME_NET any -> [194.26.192.213] 7077 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509020; rev:1;) alert tcp $HOME_NET any -> [45.95.42.190] 8001 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509019; rev:1;) alert tcp $HOME_NET any -> [96.9.125.197] 1690 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509018; rev:1;) alert tcp $HOME_NET any -> [8.138.125.200] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_21; classtype:trojan-activity; sid:91509017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"api.xiaoyaoruchu.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1509011/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91509011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gkcxv.google"; depth:13; nocase; http.host; content:"check.letoq.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1509010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91509010; rev:1;) alert tcp $HOME_NET any -> [45.144.50.8] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509008/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91509008; rev:1;) alert tcp $HOME_NET any -> [18.176.122.97] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91509006; rev:1;) alert tcp $HOME_NET any -> [45.32.124.13] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91509005; rev:1;) alert tcp $HOME_NET any -> [88.119.169.53] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509004/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91509004; rev:1;) alert tcp $HOME_NET any -> [155.138.241.220] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509002/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91509002; rev:1;) alert tcp $HOME_NET any -> [196.251.115.31] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509003/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91509003; rev:1;) alert tcp $HOME_NET any -> [193.26.115.218] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1509001/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91509001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"botnet9.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508999/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"given-neither.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508998/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508998; rev:1;) alert tcp $HOME_NET any -> [67.217.228.14] 8080 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508997/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508997; rev:1;) alert tcp $HOME_NET any -> [54.90.144.239] 4321 (msg:"ThreatFox BlackShades botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508994/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508994; rev:1;) alert tcp $HOME_NET any -> [37.13.39.51] 6001 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508993/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508993; rev:1;) alert tcp $HOME_NET any -> [84.46.239.239] 4443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508992/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508992; rev:1;) alert tcp $HOME_NET any -> [47.99.169.201] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508990/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508990; rev:1;) alert tcp $HOME_NET any -> [1.94.105.46] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508991/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508991; rev:1;) alert tcp $HOME_NET any -> [45.227.253.91] 32400 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508989/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508989; rev:1;) alert tcp $HOME_NET any -> [47.97.0.235] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508988/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.248.206.180"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508985/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508985; rev:1;) alert tcp $HOME_NET any -> [94.156.115.12] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508962/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ddwall.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508963/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 80%)"; dns_query; content:"itunesextractor.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508970/; target:src_ip; metadata: confidence_level 80, first_seen 2025_04_20; classtype:trojan-activity; sid:91508970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"check.juket.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508982/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508982; rev:1;) alert tcp $HOME_NET any -> [146.19.170.222] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508984/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gkcxv.google"; depth:13; nocase; http.host; content:"check.juket.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508983/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508983; rev:1;) alert tcp $HOME_NET any -> [146.56.51.149] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508981/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neathealth.beauty"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508980/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508980; rev:1;) alert tcp $HOME_NET any -> [46.201.81.233] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508979/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508979; rev:1;) alert tcp $HOME_NET any -> [109.120.137.57] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508978/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508978; rev:1;) alert tcp $HOME_NET any -> [3.8.78.144] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508977/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508977; rev:1;) alert tcp $HOME_NET any -> [16.163.161.107] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508976/; target:src_ip; metadata: confidence_level 90, first_seen 2025_04_20; classtype:trojan-activity; sid:91508976; rev:1;) alert tcp $HOME_NET any -> [8.140.25.155] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508974/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508974; rev:1;) alert tcp $HOME_NET any -> [36.133.14.65] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508975/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508975; rev:1;) alert tcp $HOME_NET any -> [117.23.59.90] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508973/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508973; rev:1;) alert tcp $HOME_NET any -> [120.27.162.47] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508972/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508972; rev:1;) alert tcp $HOME_NET any -> [45.125.12.175] 23966 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508950/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"check.pivum.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508960/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gkcxv.google"; depth:13; nocase; http.host; content:"check.pivum.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508961/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"webmail.ebuildingsource.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508956/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"subscribe.bigeznola.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508957/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"customer.aaddigitalstrategies.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508958/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"regular.ptbaconsulting.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508959/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"academy.entrepreneurwealthhub.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508951/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"hub.unlimitedcashflowevent.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508952/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ceo.cowholesaling.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508953/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"newsite.iapmd.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508954/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cpanel.buyjlindustriesonline.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508955/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508955; rev:1;) alert tcp $HOME_NET any -> [31.58.51.98] 24529 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508915/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508915; rev:1;) alert tcp $HOME_NET any -> [31.58.51.98] 59999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508916; rev:1;) alert tcp $HOME_NET any -> [51.38.137.114] 3771 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508917; rev:1;) alert tcp $HOME_NET any -> [103.178.235.240] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508918; rev:1;) alert tcp $HOME_NET any -> [103.178.235.240] 9555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508919; rev:1;) alert tcp $HOME_NET any -> [104.168.101.27] 1412 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508920; rev:1;) alert tcp $HOME_NET any -> [104.168.101.27] 3211 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508921; rev:1;) alert tcp $HOME_NET any -> [176.65.137.221] 41214 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508922; rev:1;) alert tcp $HOME_NET any -> [176.65.137.221] 12312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508923/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508923; rev:1;) alert tcp $HOME_NET any -> [176.65.138.240] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508924; rev:1;) alert tcp $HOME_NET any -> [176.65.140.174] 1995 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508925; rev:1;) alert tcp $HOME_NET any -> [176.65.140.174] 1337 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508926; rev:1;) alert tcp $HOME_NET any -> [176.65.141.183] 101 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508927; rev:1;) alert tcp $HOME_NET any -> [176.65.142.252] 25634 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508928; rev:1;) alert tcp $HOME_NET any -> [176.65.144.193] 26425 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508929; rev:1;) alert tcp $HOME_NET any -> [176.65.144.193] 44115 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508930; rev:1;) alert tcp $HOME_NET any -> [176.65.144.253] 9654 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508931/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508931; rev:1;) alert tcp $HOME_NET any -> [185.196.9.222] 2211 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508932/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508932; rev:1;) alert tcp $HOME_NET any -> [185.196.9.222] 7733 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508933; rev:1;) alert tcp $HOME_NET any -> [192.241.146.135] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508934/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508934; rev:1;) alert tcp $HOME_NET any -> [192.241.146.135] 9555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508935; rev:1;) alert tcp $HOME_NET any -> [196.251.71.29] 25478 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508937; rev:1;) alert tcp $HOME_NET any -> [196.251.71.29] 56412 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508936; rev:1;) alert tcp $HOME_NET any -> [216.9.224.47] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508939; rev:1;) alert tcp $HOME_NET any -> [196.251.80.200] 3912 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508938/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508938; rev:1;) alert tcp $HOME_NET any -> [103.77.241.250] 2023 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508942/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508942; rev:1;) alert tcp $HOME_NET any -> [216.9.224.47] 3912 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508940/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508940; rev:1;) alert tcp $HOME_NET any -> [213.209.143.24] 34411 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508941/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508941; rev:1;) alert tcp $HOME_NET any -> [103.77.241.250] 2025 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508943/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508943; rev:1;) alert tcp $HOME_NET any -> [205.185.125.181] 420 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508947/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508947; rev:1;) alert tcp $HOME_NET any -> [89.187.28.82] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508944/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508944; rev:1;) alert tcp $HOME_NET any -> [66.63.187.82] 6666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508945/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508945; rev:1;) alert tcp $HOME_NET any -> [205.185.125.181] 56412 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508946/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508946; rev:1;) alert tcp $HOME_NET any -> [61.7.209.115] 3211 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508948/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508948; rev:1;) alert tcp $HOME_NET any -> [61.7.209.115] 207 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508949/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508949; rev:1;) alert tcp $HOME_NET any -> [43.139.50.42] 62005 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508914/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"r-tube.ru"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508913/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"check.pikip.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508775/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508775; rev:1;) alert tcp $HOME_NET any -> [107.149.213.17] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508875/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508875; rev:1;) alert tcp $HOME_NET any -> [107.149.213.18] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508876/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508876; rev:1;) alert tcp $HOME_NET any -> [137.175.86.216] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508878/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508878; rev:1;) alert tcp $HOME_NET any -> [137.175.86.215] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508877/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508877; rev:1;) alert tcp $HOME_NET any -> [137.175.90.209] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508881/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508881; rev:1;) alert tcp $HOME_NET any -> [137.175.86.217] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508879/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508879; rev:1;) alert tcp $HOME_NET any -> [137.175.86.219] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508880/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508880; rev:1;) alert tcp $HOME_NET any -> [137.175.90.210] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508882/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508882; rev:1;) alert tcp $HOME_NET any -> [137.175.90.211] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508883/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508883; rev:1;) alert tcp $HOME_NET any -> [198.2.208.57] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508886/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508886; rev:1;) alert tcp $HOME_NET any -> [137.175.90.212] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508884/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508884; rev:1;) alert tcp $HOME_NET any -> [137.175.90.213] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508885/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508885; rev:1;) alert tcp $HOME_NET any -> [198.2.208.60] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508888/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508888; rev:1;) alert tcp $HOME_NET any -> [198.2.208.59] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508887/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508887; rev:1;) alert tcp $HOME_NET any -> [198.2.208.61] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508889/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508889; rev:1;) alert tcp $HOME_NET any -> [3.67.62.142] 18188 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508890/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508890; rev:1;) alert tcp $HOME_NET any -> [45.88.186.43] 7232 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508912/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"technical-equally.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508911/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508911; rev:1;) alert tcp $HOME_NET any -> [80.241.209.53] 12182 (msg:"ThreatFox CapraRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508910/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"203.245.0.121"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1508909/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508909; rev:1;) alert tcp $HOME_NET any -> [95.140.156.252] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508908/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508908; rev:1;) alert tcp $HOME_NET any -> [156.238.245.37] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508907/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508907; rev:1;) alert tcp $HOME_NET any -> [173.249.198.224] 8547 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508906/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508906; rev:1;) alert tcp $HOME_NET any -> [171.227.30.106] 5002 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508905/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwgwng.bat"; depth:11; nocase; http.host; content:"kick.us.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508904/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"kick.us.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508903/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508903; rev:1;) alert tcp $HOME_NET any -> [107.150.0.56] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508902/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508902; rev:1;) alert tcp $HOME_NET any -> [101.36.122.13] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508901/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508901; rev:1;) alert tcp $HOME_NET any -> [116.204.85.234] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508900/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508900; rev:1;) alert tcp $HOME_NET any -> [47.109.203.76] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508899/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508899; rev:1;) alert tcp $HOME_NET any -> [31.25.24.159] 7777 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508898/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508898; rev:1;) alert tcp $HOME_NET any -> [52.18.3.105] 4506 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508897/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508897; rev:1;) alert tcp $HOME_NET any -> [203.245.0.121] 443 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508896/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508896; rev:1;) alert tcp $HOME_NET any -> [107.148.49.212] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508895/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508895; rev:1;) alert tcp $HOME_NET any -> [47.93.25.72] 9088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508894/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gkcxv.google"; depth:13; nocase; http.host; content:"check.carin.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508892/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"check.carin.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508893/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"wnighetwhisper.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508891/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"lquilltayle.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508874/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508874; rev:1;) alert tcp $HOME_NET any -> [176.65.149.155] 8080 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508873/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508873; rev:1;) alert tcp $HOME_NET any -> [67.71.45.223] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508872/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytus"; depth:5; nocase; http.host; content:"lpiratetwrath.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508871/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"dquilltayle.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508870/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsooz"; depth:6; nocase; http.host; content:"3salaccgfa.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508869/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsooz"; depth:6; nocase; http.host; content:"v7salaccgfa.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508868/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"pstarofliught.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508867/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w63ksk/"; depth:8; nocase; http.host; content:"axcd.iwwhyw.es"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508865/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f4mmzlxu/"; depth:10; nocase; http.host; content:"hlq.lbhoci.es"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508866/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eme4si/"; depth:8; nocase; http.host; content:"assignideate.dsudag.es"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508862/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dnvci/$mattf@jfrealestate.com"; depth:30; nocase; http.host; content:"cqne.zuxsc.es"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508863/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/70bdkbd4anto6gd/"; depth:17; nocase; http.host; content:"dto.bpdaokygwg.es"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508864/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/red/"; depth:5; nocase; http.host; content:"blog.tytprngxckyk.es"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508859/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xqczefkg/"; depth:10; nocase; http.host; content:"hze.phiachiphe.ru"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508860/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xxzeoy/"; depth:8; nocase; http.host; content:"9rgf.datafforge.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508861/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1pcfpg/"; depth:8; nocase; http.host; content:"ndd.ifnqmlwx.es"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508856/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kgtkh4o0/"; depth:10; nocase; http.host; content:"gaj6u.hjywaif.es"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508857/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/indexx.html"; depth:12; nocase; http.host; content:"pub-4cb2d2ab6eaf43e8bf67c734cdf12e01.r2.dev"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508858/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activ/$/"; depth:9; nocase; http.host; content:"t5.wfuxsnwjnjb.es"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508854/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/taine4k0/%23slee@slurpmail.net"; depth:31; nocase; http.host; content:"oyoa.wcjysnwknbgv.es"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508855/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tjor/"; depth:6; nocase; http.host; content:"ji.qslwif.es"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508852/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msg1w31/"; depth:9; nocase; http.host; content:"oj.elindactori.ru"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508853/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wclezf/"; depth:8; nocase; http.host; content:"nnkn.oaczr.es"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508849/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hw30u4y6/"; depth:10; nocase; http.host; content:"6p.ziyzgd.es"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508850/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/joqz06s/"; depth:9; nocase; http.host; content:"ibi4.ueinrrv.es"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508851/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uwqofq/"; depth:8; nocase; http.host; content:"yv.qhynyhmkhob.es"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508847/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bereila/bereila.html"; depth:21; nocase; http.host; content:"bereila.blob.core.windows.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508848/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t6gxxj4z/"; depth:10; nocase; http.host; content:"1nc.smlyhe.es"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508844/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppxzv/"; depth:7; nocase; http.host; content:"t445xrxe.bavdaea.es"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508845/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jgx71p/"; depth:8; nocase; http.host; content:"5jp.rbitatiab.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508846/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1jgkofpl/"; depth:10; nocase; http.host; content:"y4.keusxhpgy.es"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508842/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uocms/"; depth:7; nocase; http.host; content:"incture.xgtfctr.es"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508843/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eqxhz/"; depth:7; nocase; http.host; content:"rff.rrtussgb.es"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508839/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ssxkohf/"; depth:9; nocase; http.host; content:"z9j.hflumi.es"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508840/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m0wvbcga/"; depth:10; nocase; http.host; content:"kxi.riywmc.es"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508841/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mx2ovzlqy/%23xwlunders@slurpmail.net"; depth:37; nocase; http.host; content:"yiv.stqevw.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508837/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kehl/"; depth:6; nocase; http.host; content:"hp0vrx.utepfqpn.es"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508838/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hlnz62kk/"; depth:10; nocase; http.host; content:"4829482948294829482948294829482948482948.uronfecit.ru"; depth:53; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508834/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/indexx.html"; depth:12; nocase; http.host; content:"pub-4cb2d2ab6eaf43e8bf67c734cdf12e01.r2.dev"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508835/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2ns5x6/"; depth:8; nocase; http.host; content:"uivd.rzvpovoqysa.es"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508836/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c7r4/"; depth:6; nocase; http.host; content:"7xlg.rkqymjx.es"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508831/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sguejwf/"; depth:9; nocase; http.host; content:"nvzz.cxprnvhh.es"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508832/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jxxf4rdj/"; depth:10; nocase; http.host; content:"oqd.qwivrle.es"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508833/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1qbiaha/"; depth:9; nocase; http.host; content:"oit.qlhtjv.es"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508829/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mongreta/mongreta.html"; depth:23; nocase; http.host; content:"mongreta.blob.core.windows.net"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508830/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anewa/"; depth:7; nocase; http.host; content:"eastgold.xyxmusr.es"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508826/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o06kif/"; depth:8; nocase; http.host; content:"mbtrzn.sdcaznbe.es"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508827/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/poavxb/"; depth:8; nocase; http.host; content:"plfo.zdzhwsdskx.es"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508828/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbq3wdj/"; depth:9; nocase; http.host; content:"s8.ingolothy.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508823/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o97yr9kq/"; depth:10; nocase; http.host; content:"n1.izowddta.es"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508824/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mcy5ppt/"; depth:9; nocase; http.host; content:"nt.maiupr.es"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508825/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4swhfy2z/"; depth:10; nocase; http.host; content:"fhhp.yclnjj.es"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508821/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mwfbcbz/"; depth:9; nocase; http.host; content:"wl7.htheaded.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508822/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wdky1/"; depth:7; nocase; http.host; content:"ek.kyvankvg.es"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508818/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/redirectpage.aspx"; depth:18; nocase; http.host; content:"ilovecondo.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508819/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wox/"; depth:5; nocase; http.host; content:"hyi.ozsicprvvbo.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508820/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cukg/"; depth:6; nocase; http.host; content:"htu.fzpoqs.es"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508816/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9nge/"; depth:6; nocase; http.host; content:"tli.manisnionti.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508817/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mucnjv6/"; depth:9; nocase; http.host; content:"bz.yyevowobz.es"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508813/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wdky1/"; depth:7; nocase; http.host; content:"eb.kyvankvg.es"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508814/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rpsylky/"; depth:9; nocase; http.host; content:"gd.yvgherre.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508815/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bkuu985ym8vgeu/"; depth:17; nocase; http.host; content:"0eaw.ykgznx.es"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508810/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1wvb/"; depth:7; nocase; http.host; content:"uka.xvypywmiv.es"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508811/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/poavxb/"; depth:8; nocase; http.host; content:"t6y.zdzhwsdskx.es"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508812/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mailsend/v1/click/555860/372270/227/651/238"; depth:44; nocase; http.host; content:"api.us2.500apps.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508808/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4swhfy2z/"; depth:10; nocase; http.host; content:"bjq.yclnjj.es"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508809/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kyt5d/"; depth:7; nocase; http.host; content:"gtnc.erwelrastoc.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508805/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rt5c/"; depth:6; nocase; http.host; content:"4fu36-cosaction.hcwniwgrqy.es"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508806/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fkyj/"; depth:6; nocase; http.host; content:"fpc8.usktcp.es"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508807/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rt5c/"; depth:6; nocase; http.host; content:"laucc-fdm4.hcwniwgrqy.es"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508803/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9rgxd7g5st7wqpf/"; depth:17; nocase; http.host; content:"90.bpahhcicdbw.es"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508804/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rt5c/"; depth:6; nocase; http.host; content:"kya8k-fdm4.hcwniwgrqy.es"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508801/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dnvci/"; depth:7; nocase; http.host; content:"1y.zuxsc.es"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508802/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m0wvbcga/"; depth:10; nocase; http.host; content:"mwp.riywmc.es"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508798/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gqncds8idt8ti9j/"; depth:17; nocase; http.host; content:"uja5.gpkfnynp.es"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508799/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wqd2hea/"; depth:9; nocase; http.host; content:"v7wd.jbifnidlafjb.es"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508800/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wpm6/"; depth:6; nocase; http.host; content:"4pl.bzlvvm.es"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508796/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wgfhz9i/"; depth:9; nocase; http.host; content:"8q.azpbc.es"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508797/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bkuu985ym8vgeu/"; depth:17; nocase; http.host; content:"c5r.ykgznx.es"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508793/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iisbetmi/"; depth:10; nocase; http.host; content:"art.zkmwcsprv.es"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508794/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9crzk/"; depth:7; nocase; http.host; content:"bhj9j.cgehpee.es"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508795/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/22jxe9ka/"; depth:10; nocase; http.host; content:"4d.examzl.es"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508790/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fvc68/"; depth:7; nocase; http.host; content:"ttp.mindlooip.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508791/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/red/"; depth:5; nocase; http.host; content:"4lw.tytprngxckyk.es"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508792/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bfakpv/"; depth:8; nocase; http.host; content:"2fqw.ozeubkt.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508788/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uvq9w4jk/"; depth:10; nocase; http.host; content:"x1.qkbnkruvtjo.es"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508789/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iboctllz/"; depth:10; nocase; http.host; content:"if.wntfxw.es"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508785/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-oistne/index.html"; depth:21; nocase; http.host; content:"bobcroft.me"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508786/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gardon/gardon.html"; depth:19; nocase; http.host; content:"gardon.blob.core.windows.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508787/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nongo/"; depth:7; nocase; http.host; content:"tsd.oqitjjf.es"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508783/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nongo/"; depth:7; nocase; http.host; content:"bvmffod.oqitjjf.es"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508784/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zwre/"; depth:6; nocase; http.host; content:"yw.vyponky.es"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508780/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngk03wlh/$sealogistics.ve@slurpmail.net"; depth:40; nocase; http.host; content:"mm4c.kmyrtgic.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508781/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da3ycqo0/"; depth:10; nocase; http.host; content:"hkn.omxdjymjrp.es"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508782/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4duz/"; depth:6; nocase; http.host; content:"cjgo.qdgekfr.es"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508778/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/indexx.html"; depth:12; nocase; http.host; content:"pub-4cb2d2ab6eaf43e8bf67c734cdf12e01.r2.dev"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508779/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/53lem5c/"; depth:9; nocase; http.host; content:"a8.xquwjhogz.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508777/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gkcxv.google"; depth:13; nocase; http.host; content:"check.pikip.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508776/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508776; rev:1;) alert tcp $HOME_NET any -> [198.2.208.57] 1523 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508774/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508774; rev:1;) alert tcp $HOME_NET any -> [162.216.112.124] 8088 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508773/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"hiesa-56152.portmap.host"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508770/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"feb-travelers.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508771/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508771; rev:1;) alert tcp $HOME_NET any -> [54.212.58.238] 32298 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508772/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508772; rev:1;) alert tcp $HOME_NET any -> [181.162.178.29] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508769/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508769; rev:1;) alert tcp $HOME_NET any -> [13.250.199.140] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508768/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508768; rev:1;) alert tcp $HOME_NET any -> [163.172.125.253] 400 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508767/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508767; rev:1;) alert tcp $HOME_NET any -> [137.184.35.179] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508766/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/00mybwuz"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508765/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508765; rev:1;) alert tcp $HOME_NET any -> [45.230.255.103] 8000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508763/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508763; rev:1;) alert tcp $HOME_NET any -> [194.59.31.31] 2500 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508764/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508764; rev:1;) alert tcp $HOME_NET any -> [125.77.172.64] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508762/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508762; rev:1;) alert tcp $HOME_NET any -> [107.174.85.153] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508761/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/nfvynppg"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508760/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bot.argus-services.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508759/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508759; rev:1;) alert tcp $HOME_NET any -> [111.180.190.199] 31880 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508755/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508755; rev:1;) alert tcp $HOME_NET any -> [111.180.190.199] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508756/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508756; rev:1;) alert tcp $HOME_NET any -> [176.65.134.55] 3470 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508757/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508757; rev:1;) alert tcp $HOME_NET any -> [77.105.161.9] 3232 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508758/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"boards-essential.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508751/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"earth-schedules.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508752/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"summer-malaysia.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508753/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"technical-equally.gl.at.ply.g"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508754/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508754; rev:1;) alert tcp $HOME_NET any -> [194.59.30.194] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508748/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508748; rev:1;) alert tcp $HOME_NET any -> [194.59.30.194] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508749/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508749; rev:1;) alert tcp $HOME_NET any -> [194.59.30.194] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508750/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508750; rev:1;) alert tcp $HOME_NET any -> [185.94.29.209] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508747/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"envio10-04-25.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508746/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"odash.aarkernerse.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508745/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"partner-id3695.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508744/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"196.251.87.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508743/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"196.251.72.216"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508742/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"196.251.72.215"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508741/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508741; rev:1;) alert tcp $HOME_NET any -> [108.141.125.190] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508740/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508740; rev:1;) alert tcp $HOME_NET any -> [171.227.30.106] 5001 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508739/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508739; rev:1;) alert tcp $HOME_NET any -> [13.37.233.32] 8723 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508737/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508737; rev:1;) alert tcp $HOME_NET any -> [3.26.2.255] 902 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508738/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508738; rev:1;) alert tcp $HOME_NET any -> [13.245.82.245] 9761 (msg:"ThreatFox BlackShades botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508736/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508736; rev:1;) alert tcp $HOME_NET any -> [13.203.75.50] 21025 (msg:"ThreatFox BlackShades botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508735/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508735; rev:1;) alert tcp $HOME_NET any -> [3.123.4.89] 1025 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508733/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508733; rev:1;) alert tcp $HOME_NET any -> [54.180.138.77] 7634 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508734/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508734; rev:1;) alert tcp $HOME_NET any -> [3.123.4.89] 21025 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508732/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508732; rev:1;) alert tcp $HOME_NET any -> [65.38.98.101] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508729/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508729; rev:1;) alert tcp $HOME_NET any -> [185.141.216.95] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508730/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508730; rev:1;) alert tcp $HOME_NET any -> [138.197.61.237] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508731/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508731; rev:1;) alert tcp $HOME_NET any -> [47.93.135.155] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508727/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508727; rev:1;) alert tcp $HOME_NET any -> [43.131.5.83] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508728/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508728; rev:1;) alert tcp $HOME_NET any -> [43.133.72.43] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508725/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508725; rev:1;) alert tcp $HOME_NET any -> [124.70.203.28] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508726/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508726; rev:1;) alert tcp $HOME_NET any -> [185.9.146.38] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508724/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_20; classtype:trojan-activity; sid:91508724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"3quilltayle.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508723/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lowwood.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508722/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apri.php"; depth:9; nocase; http.host; content:"auntapproval.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/art.php"; depth:8; nocase; http.host; content:"dustfurniture.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508718/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bik.php"; depth:8; nocase; http.host; content:"pancakebag.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508719/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apr.php"; depth:8; nocase; http.host; content:"auntapproval.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508720/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508720; rev:1;) alert tcp $HOME_NET any -> [88.214.48.65] 422 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508560/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508560; rev:1;) alert tcp $HOME_NET any -> [88.214.48.66] 420 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508561/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508561; rev:1;) alert tcp $HOME_NET any -> [88.214.48.64] 428 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508562; rev:1;) alert tcp $HOME_NET any -> [88.214.48.65] 430 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508563/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508563; rev:1;) alert tcp $HOME_NET any -> [88.214.48.64] 419 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508565/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508565; rev:1;) alert tcp $HOME_NET any -> [88.214.48.66] 428 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508566/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508566; rev:1;) alert tcp $HOME_NET any -> [88.214.48.64] 420 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508564/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508564; rev:1;) alert tcp $HOME_NET any -> [88.214.48.65] 420 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508579/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508579; rev:1;) alert tcp $HOME_NET any -> [88.214.48.64] 430 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508587/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508587; rev:1;) alert tcp $HOME_NET any -> [88.214.48.66] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508590/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508590; rev:1;) alert tcp $HOME_NET any -> [88.214.48.64] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508591/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508591; rev:1;) alert tcp $HOME_NET any -> [88.214.48.64] 417 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508592/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508592; rev:1;) alert tcp $HOME_NET any -> [88.214.48.64] 425 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508594/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508594; rev:1;) alert tcp $HOME_NET any -> [88.214.48.64] 427 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508593/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508593; rev:1;) alert tcp $HOME_NET any -> [88.214.48.65] 427 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508595/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508595; rev:1;) alert tcp $HOME_NET any -> [88.214.48.64] 422 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508596/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508596; rev:1;) alert tcp $HOME_NET any -> [88.214.48.65] 421 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508597/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508597; rev:1;) alert tcp $HOME_NET any -> [88.214.48.66] 422 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508598/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508598; rev:1;) alert tcp $HOME_NET any -> [88.214.48.66] 426 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508601/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"check.pejel.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508599/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508599; rev:1;) alert tcp $HOME_NET any -> [147.185.221.27] 47881 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508588/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yet-continental.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508589/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508589; rev:1;) alert tcp $HOME_NET any -> [88.214.48.66] 423 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508606/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508606; rev:1;) alert tcp $HOME_NET any -> [88.214.48.64] 423 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508607/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508607; rev:1;) alert tcp $HOME_NET any -> [88.214.48.64] 421 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508608/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p.txt"; depth:6; nocase; http.host; content:"172.82.91.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508609/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508609; rev:1;) alert tcp $HOME_NET any -> [88.243.7.236] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508617/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508617; rev:1;) alert tcp $HOME_NET any -> [88.214.48.66] 419 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508621/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508621; rev:1;) alert tcp $HOME_NET any -> [88.214.48.66] 425 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508618/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508618; rev:1;) alert tcp $HOME_NET any -> [88.214.48.66] 424 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508619/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508619; rev:1;) alert tcp $HOME_NET any -> [88.214.48.65] 426 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508620/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508620; rev:1;) alert tcp $HOME_NET any -> [88.214.48.66] 429 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508622/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508622; rev:1;) alert tcp $HOME_NET any -> [88.214.48.65] 429 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508623/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ladoicese.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508632/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508632; rev:1;) alert tcp $HOME_NET any -> [88.214.48.66] 418 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508636/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508636; rev:1;) alert tcp $HOME_NET any -> [88.214.48.66] 417 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508642/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508642; rev:1;) alert tcp $HOME_NET any -> [88.214.48.64] 429 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508641; rev:1;) alert tcp $HOME_NET any -> [3.67.15.169] 13573 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508643/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508643; rev:1;) alert tcp $HOME_NET any -> [35.157.111.131] 13573 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508644/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kaohej.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"core.kaohej.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kaohej.info"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508647/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"core.kaohej.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kaohej.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"core.kaohej.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508650; rev:1;) alert tcp $HOME_NET any -> [88.214.48.64] 416 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508659; rev:1;) alert tcp $HOME_NET any -> [88.214.48.65] 418 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508660/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508660; rev:1;) alert tcp $HOME_NET any -> [88.214.48.66] 427 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508680; rev:1;) alert tcp $HOME_NET any -> [212.237.218.41] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508681; rev:1;) alert tcp $HOME_NET any -> [23.227.167.188] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508685; rev:1;) alert tcp $HOME_NET any -> [196.251.90.83] 3000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508682; rev:1;) alert tcp $HOME_NET any -> [84.247.148.249] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508684/; target:src_ip; metadata: confidence_level 90, first_seen 2025_04_20; classtype:trojan-activity; sid:91508684; rev:1;) alert tcp $HOME_NET any -> [47.128.167.206] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508686; rev:1;) alert tcp $HOME_NET any -> [171.22.31.46] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"o.socalmediazone.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508688; rev:1;) alert tcp $HOME_NET any -> [196.251.87.16] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508689; rev:1;) alert tcp $HOME_NET any -> [45.33.7.49] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508690; rev:1;) alert tcp $HOME_NET any -> [51.15.194.103] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508691/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508691; rev:1;) alert tcp $HOME_NET any -> [36.138.95.31] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508692/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508692; rev:1;) alert tcp $HOME_NET any -> [65.108.209.233] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508694/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508694; rev:1;) alert tcp $HOME_NET any -> [192.145.45.61] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508693/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508693; rev:1;) alert tcp $HOME_NET any -> [38.242.221.155] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508695/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508695; rev:1;) alert tcp $HOME_NET any -> [192.145.28.124] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508696/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508696; rev:1;) alert tcp $HOME_NET any -> [52.204.130.225] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508697/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508697; rev:1;) alert tcp $HOME_NET any -> [52.72.220.219] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508698/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508698; rev:1;) alert tcp $HOME_NET any -> [47.94.8.20] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508700/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508700; rev:1;) alert tcp $HOME_NET any -> [101.200.29.152] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508699/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508699; rev:1;) alert tcp $HOME_NET any -> [51.178.141.34] 1234 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508701/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508701; rev:1;) alert tcp $HOME_NET any -> [1.92.144.199] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508702/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508702; rev:1;) alert tcp $HOME_NET any -> [52.139.216.69] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508703/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508703; rev:1;) alert tcp $HOME_NET any -> [165.232.47.88] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508704/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508704; rev:1;) alert tcp $HOME_NET any -> [157.230.97.17] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508705/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508705; rev:1;) alert tcp $HOME_NET any -> [3.7.190.114] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508706/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508706; rev:1;) alert tcp $HOME_NET any -> [174.35.59.229] 13333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508707/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508707; rev:1;) alert tcp $HOME_NET any -> [111.229.149.224] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508708/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508708; rev:1;) alert tcp $HOME_NET any -> [2.122.168.171] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508712/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508712; rev:1;) alert tcp $HOME_NET any -> [154.246.33.169] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508713/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508713; rev:1;) alert tcp $HOME_NET any -> [2.57.241.52] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508717/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508717; rev:1;) alert tcp $HOME_NET any -> [103.89.137.180] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508715/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508715; rev:1;) alert tcp $HOME_NET any -> [146.19.170.222] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508716/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508716; rev:1;) alert tcp $HOME_NET any -> [185.39.17.70] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508714/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"autodiscover.aa.104-168-101-27.cprapid.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508711/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508711; rev:1;) alert tcp $HOME_NET any -> [118.184.187.174] 54681 (msg:"ThreatFox Chaos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508709/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508709; rev:1;) alert tcp $HOME_NET any -> [107.150.0.237] 8080 (msg:"ThreatFox Chaos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508710/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508710; rev:1;) alert tcp $HOME_NET any -> [103.39.79.160] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508683; rev:1;) alert tcp $HOME_NET any -> [8.213.235.187] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508679/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508679; rev:1;) alert tcp $HOME_NET any -> [134.175.89.138] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508678/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_20; classtype:trojan-activity; sid:91508678; rev:1;) alert tcp $HOME_NET any -> [3.69.197.94] 44818 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508677; rev:1;) alert tcp $HOME_NET any -> [171.227.30.106] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508676; rev:1;) alert tcp $HOME_NET any -> [5.161.207.95] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508675; rev:1;) alert tcp $HOME_NET any -> [118.195.162.44] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508674; rev:1;) alert tcp $HOME_NET any -> [2.59.117.173] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508671/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508671; rev:1;) alert tcp $HOME_NET any -> [83.217.209.65] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508672/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"react.socalmediazone.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508673; rev:1;) alert tcp $HOME_NET any -> [196.251.69.26] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508668/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508668; rev:1;) alert tcp $HOME_NET any -> [196.251.69.26] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508669; rev:1;) alert tcp $HOME_NET any -> [196.251.116.155] 8443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508670/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508670; rev:1;) alert tcp $HOME_NET any -> [91.208.184.195] 7412 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508667/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508667; rev:1;) alert tcp $HOME_NET any -> [144.91.103.204] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508666; rev:1;) alert tcp $HOME_NET any -> [193.168.143.13] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508665/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508665; rev:1;) alert tcp $HOME_NET any -> [62.60.226.114] 40103 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508664; rev:1;) alert tcp $HOME_NET any -> [49.232.62.197] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508663; rev:1;) alert tcp $HOME_NET any -> [173.212.245.215] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508662/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508662; rev:1;) alert tcp $HOME_NET any -> [120.26.139.176] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508661/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_20; classtype:trojan-activity; sid:91508661; rev:1;) alert tcp $HOME_NET any -> [198.98.57.26] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508658/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508658; rev:1;) alert tcp $HOME_NET any -> [179.43.186.234] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508657/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508657; rev:1;) alert tcp $HOME_NET any -> [152.136.17.91] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508656/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"api.googleshop.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508655/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsooz"; depth:6; nocase; http.host; content:"8salaccgfa.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508640/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508640; rev:1;) alert tcp $HOME_NET any -> [172.104.60.134] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508639/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail2.lasthit.store"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508638/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail1.lasthit.store"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508637/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508637; rev:1;) alert tcp $HOME_NET any -> [50.106.3.62] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508635/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508635; rev:1;) alert tcp $HOME_NET any -> [163.181.143.92] 4506 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508634/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508634; rev:1;) alert tcp $HOME_NET any -> [118.161.8.213] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508633/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508633; rev:1;) alert tcp $HOME_NET any -> [66.63.187.82] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508631/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508631; rev:1;) alert tcp $HOME_NET any -> [93.198.178.131] 81 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508630/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508630; rev:1;) alert tcp $HOME_NET any -> [198.135.50.66] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508629; rev:1;) alert tcp $HOME_NET any -> [188.166.174.146] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508628/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508628; rev:1;) alert tcp $HOME_NET any -> [45.88.186.113] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508627/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508627; rev:1;) alert tcp $HOME_NET any -> [179.43.186.234] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508626/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508626; rev:1;) alert tcp $HOME_NET any -> [101.200.76.102] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508625/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508625; rev:1;) alert tcp $HOME_NET any -> [4.227.206.117] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508624/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gkcxv.google"; depth:13; nocase; http.host; content:"check.pejel.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508600/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508600; rev:1;) alert tcp $HOME_NET any -> [217.114.43.122] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508586/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508586; rev:1;) alert tcp $HOME_NET any -> [54.219.14.165] 2628 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508585/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508585; rev:1;) alert tcp $HOME_NET any -> [171.227.30.106] 6000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508584/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508584; rev:1;) alert tcp $HOME_NET any -> [185.177.239.155] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508583/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508583; rev:1;) alert tcp $HOME_NET any -> [192.153.57.203] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508582/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508582; rev:1;) alert tcp $HOME_NET any -> [77.110.106.151] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508581/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"auth.echelonai.world"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508580/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508580; rev:1;) alert tcp $HOME_NET any -> [128.90.106.203] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508578/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508578; rev:1;) alert tcp $HOME_NET any -> [89.40.31.130] 1010 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508577/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508577; rev:1;) alert tcp $HOME_NET any -> [64.52.80.67] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508576/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508576; rev:1;) alert tcp $HOME_NET any -> [144.91.103.204] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508575/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508575; rev:1;) alert tcp $HOME_NET any -> [185.165.170.222] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508573; rev:1;) alert tcp $HOME_NET any -> [196.251.116.158] 4507 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508574/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508574; rev:1;) alert tcp $HOME_NET any -> [62.60.226.21] 40106 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508570/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508570; rev:1;) alert tcp $HOME_NET any -> [31.220.81.57] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508571/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508571; rev:1;) alert tcp $HOME_NET any -> [196.251.116.190] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508572/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508572; rev:1;) alert tcp $HOME_NET any -> [192.142.0.149] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508569/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508569; rev:1;) alert tcp $HOME_NET any -> [118.31.118.190] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508568/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508568; rev:1;) alert tcp $HOME_NET any -> [47.116.34.88] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508567/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508567; rev:1;) alert tcp $HOME_NET any -> [88.214.48.66] 421 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508555/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508555; rev:1;) alert tcp $HOME_NET any -> [88.214.48.65] 416 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508556/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508556; rev:1;) alert tcp $HOME_NET any -> [88.214.48.64] 426 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508557/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508557; rev:1;) alert tcp $HOME_NET any -> [88.214.48.65] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508558/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508558; rev:1;) alert tcp $HOME_NET any -> [88.214.48.65] 424 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508559/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508559; rev:1;) alert tcp $HOME_NET any -> [88.214.48.64] 424 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508551/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508551; rev:1;) alert tcp $HOME_NET any -> [88.214.48.64] 418 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508552/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508552; rev:1;) alert tcp $HOME_NET any -> [88.214.48.65] 425 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508553/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508553; rev:1;) alert tcp $HOME_NET any -> [88.214.48.65] 419 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508554/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508554; rev:1;) alert tcp $HOME_NET any -> [88.214.48.66] 430 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508550/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508550; rev:1;) alert tcp $HOME_NET any -> [88.214.48.65] 423 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508546/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508546; rev:1;) alert tcp $HOME_NET any -> [45.83.207.17] 6522 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508545/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508545; rev:1;) alert tcp $HOME_NET any -> [88.214.48.65] 417 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508547/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508547; rev:1;) alert tcp $HOME_NET any -> [88.214.48.65] 428 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508548/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508548; rev:1;) alert tcp $HOME_NET any -> [88.214.48.66] 416 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508549/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"185.208.158.182"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508544/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"check.wewum.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508511/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508511; rev:1;) alert tcp $HOME_NET any -> [36.41.71.241] 2086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508538/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508538; rev:1;) alert tcp $HOME_NET any -> [176.113.82.51] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508537/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508537; rev:1;) alert tcp $HOME_NET any -> [134.175.159.214] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508536/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508536; rev:1;) alert tcp $HOME_NET any -> [119.91.246.70] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508535/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508535; rev:1;) alert tcp $HOME_NET any -> [111.230.161.5] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508534/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yyds.chinaunciom.sbs"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508533/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"4gjhr5qxhyaj1.cfc-execute.bj.baidubce.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508532/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"102.33.34.151"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508531/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"103.48.64.50"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508529/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.209.117.141"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508530/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508530; rev:1;) alert tcp $HOME_NET any -> [156.253.227.252] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508528/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508528; rev:1;) alert tcp $HOME_NET any -> [188.166.174.146] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508526/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508526; rev:1;) alert tcp $HOME_NET any -> [188.166.174.146] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508527/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508527; rev:1;) alert tcp $HOME_NET any -> [206.166.251.139] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508525/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508525; rev:1;) alert tcp $HOME_NET any -> [45.45.217.148] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508524/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508524; rev:1;) alert tcp $HOME_NET any -> [77.110.106.151] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508522/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508522; rev:1;) alert tcp $HOME_NET any -> [196.251.87.16] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508523/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508523; rev:1;) alert tcp $HOME_NET any -> [195.10.205.179] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508521/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508521; rev:1;) alert tcp $HOME_NET any -> [163.172.125.253] 300 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508520/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508520; rev:1;) alert tcp $HOME_NET any -> [163.5.210.172] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508518/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508518; rev:1;) alert tcp $HOME_NET any -> [81.17.24.234] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508519/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508519; rev:1;) alert tcp $HOME_NET any -> [123.57.20.184] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508517/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508517; rev:1;) alert tcp $HOME_NET any -> [35.220.140.248] 8443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508516/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508516; rev:1;) alert tcp $HOME_NET any -> [185.38.142.128] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508514/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508514; rev:1;) alert tcp $HOME_NET any -> [196.251.116.190] 4507 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508515/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508515; rev:1;) alert tcp $HOME_NET any -> [196.251.70.239] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508513/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gkcxv.google"; depth:13; nocase; http.host; content:"check.wewum.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508512/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsooz"; depth:6; nocase; http.host; content:"4asalaccgfa.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508510/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lumbersmile.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508509/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apri.php"; depth:9; nocase; http.host; content:"lumbersmile.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508507/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apr.php"; depth:8; nocase; http.host; content:"lumbersmile.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508508/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508508; rev:1;) alert tcp $HOME_NET any -> [91.92.46.42] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508506/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"check.colaj.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508495/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"check.hosam.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508481/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508481; rev:1;) alert tcp $HOME_NET any -> [71.187.100.156] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508497/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gkcxv.google"; depth:13; nocase; http.host; content:"check.colaj.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508496/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508496; rev:1;) alert tcp $HOME_NET any -> [13.51.167.241] 9142 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508494/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508494; rev:1;) alert tcp $HOME_NET any -> [106.75.215.144] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508493/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508493; rev:1;) alert tcp $HOME_NET any -> [176.65.149.67] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508492/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508492; rev:1;) alert tcp $HOME_NET any -> [51.79.160.146] 808 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508490/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508490; rev:1;) alert tcp $HOME_NET any -> [154.201.91.52] 808 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508491/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508491; rev:1;) alert tcp $HOME_NET any -> [18.116.20.64] 4839 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508489/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508489; rev:1;) alert tcp $HOME_NET any -> [171.227.30.106] 6001 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508488/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"account.st4b4n.fr"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508487/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508487; rev:1;) alert tcp $HOME_NET any -> [45.45.217.148] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508485/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"office.socalmediazone.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508486/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508486; rev:1;) alert tcp $HOME_NET any -> [94.140.114.150] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508484/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508484; rev:1;) alert tcp $HOME_NET any -> [103.96.130.111] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508483/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gkcxv.google"; depth:13; nocase; http.host; content:"check.hosam.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508482/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508482; rev:1;) alert tcp $HOME_NET any -> [198.98.57.26] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508480/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508480; rev:1;) alert tcp $HOME_NET any -> [23.94.54.13] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508478/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508478; rev:1;) alert tcp $HOME_NET any -> [148.135.90.11] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508479/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508479; rev:1;) alert tcp $HOME_NET any -> [106.75.12.246] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508477/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508477; rev:1;) alert tcp $HOME_NET any -> [104.168.57.116] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508476/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508476; rev:1;) alert tcp $HOME_NET any -> [176.113.82.51] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508475/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508475; rev:1;) alert tcp $HOME_NET any -> [47.86.107.151] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508474/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508474; rev:1;) alert tcp $HOME_NET any -> [121.43.160.89] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508472/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508472; rev:1;) alert tcp $HOME_NET any -> [139.9.61.175] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508473/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"fstarofliught.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508471/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508471; rev:1;) alert tcp $HOME_NET any -> [208.40.7.3] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508432/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508432; rev:1;) alert tcp $HOME_NET any -> [51.159.187.214] 3615 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508434/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508434; rev:1;) alert tcp $HOME_NET any -> [80.71.149.20] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508435/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508435; rev:1;) alert tcp $HOME_NET any -> [106.15.227.21] 7000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508436/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508436; rev:1;) alert tcp $HOME_NET any -> [100.26.43.242] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508437/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508437; rev:1;) alert tcp $HOME_NET any -> [3.104.57.100] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508438/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508438; rev:1;) alert tcp $HOME_NET any -> [120.26.235.70] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508433/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508433; rev:1;) alert tcp $HOME_NET any -> [3.18.121.82] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508431/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508431; rev:1;) alert tcp $HOME_NET any -> [103.150.92.3] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508430/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508430; rev:1;) alert tcp $HOME_NET any -> [3.110.28.213] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508429/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508429; rev:1;) alert tcp $HOME_NET any -> [23.94.212.181] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508427/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508427; rev:1;) alert tcp $HOME_NET any -> [47.113.227.68] 9205 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508428/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508428; rev:1;) alert tcp $HOME_NET any -> [130.61.248.49] 6666 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508425/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508425; rev:1;) alert tcp $HOME_NET any -> [152.53.130.64] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508426/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508426; rev:1;) alert tcp $HOME_NET any -> [52.212.98.5] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.x6se.buzz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508410; rev:1;) alert tcp $HOME_NET any -> [81.70.202.246] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508423; rev:1;) alert tcp $HOME_NET any -> [147.135.209.16] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508419; rev:1;) alert tcp $HOME_NET any -> [147.135.209.16] 8081 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508420/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508420; rev:1;) alert tcp $HOME_NET any -> [171.227.30.106] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508417/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508417; rev:1;) alert tcp $HOME_NET any -> [20.240.184.170] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508418/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508418; rev:1;) alert tcp $HOME_NET any -> [196.251.69.26] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508415/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508415; rev:1;) alert tcp $HOME_NET any -> [2.56.245.216] 4608 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508416/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508416; rev:1;) alert tcp $HOME_NET any -> [45.79.145.180] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508412/; target:src_ip; metadata: confidence_level 90, first_seen 2025_04_19; classtype:trojan-activity; sid:91508412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 90%)"; dns_query; content:"ec2-16-163-161-107.ap-east-1.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508413/; target:src_ip; metadata: confidence_level 90, first_seen 2025_04_19; classtype:trojan-activity; sid:91508413; rev:1;) alert tcp $HOME_NET any -> [176.65.144.18] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508408/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ht.bzmajiang.cn"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508409; rev:1;) alert tcp $HOME_NET any -> [209.141.33.93] 5538 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508411/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_19; classtype:trojan-activity; sid:91508411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"check.saguf.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"182.124.109.206"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508470/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"although-cholesterol.gl.at.ply.gg"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508466/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"interface-owners.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508467/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"match-charity.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508468/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"o-sufficient.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508469/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/9hzqgnjr"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508465/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508465; rev:1;) alert tcp $HOME_NET any -> [45.88.91.214] 4500 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508464/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508464; rev:1;) alert tcp $HOME_NET any -> [38.102.9.64] 23074 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508463/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rhymers.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508462/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508462; rev:1;) alert tcp $HOME_NET any -> [188.240.81.233] 3131 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508461/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"9xuj2tcnm.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508459/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"go.gets-it.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508460/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"four-meme.dev"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508458/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"futuristx.live"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508456/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"synmedsp.live"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508457/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"reddit.co.im"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508455/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"lynmor.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508453/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"grrlspace.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508454/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.164.61.168"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1508452/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"quicklinks-online.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508451/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/supershell/login/auth"; depth:28; nocase; http.host; content:"10.99.1.101"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508450/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508450; rev:1;) alert tcp $HOME_NET any -> [149.210.62.42] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508449/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508449; rev:1;) alert tcp $HOME_NET any -> [35.178.244.216] 873 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508447/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508447; rev:1;) alert tcp $HOME_NET any -> [222.89.70.13] 9088 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508448/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508448; rev:1;) alert tcp $HOME_NET any -> [103.68.251.141] 8869 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508446/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508446; rev:1;) alert tcp $HOME_NET any -> [45.76.156.251] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508444/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508444; rev:1;) alert tcp $HOME_NET any -> [137.184.239.125] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508445/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508445; rev:1;) alert tcp $HOME_NET any -> [173.249.24.35] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508443/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508443; rev:1;) alert tcp $HOME_NET any -> [54.159.118.2] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508441/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508441; rev:1;) alert tcp $HOME_NET any -> [95.169.25.146] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508442/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508442; rev:1;) alert tcp $HOME_NET any -> [209.182.239.173] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508439/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508439; rev:1;) alert tcp $HOME_NET any -> [43.133.72.43] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508440/; target:src_ip; metadata: confidence_level 50, first_seen 2025_04_19; classtype:trojan-activity; sid:91508440; rev:1;) alert tcp $HOME_NET any -> [52.91.218.1] 101 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508422; rev:1;) alert tcp $HOME_NET any -> [13.203.232.69] 2052 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508421; rev:1;) alert tcp $HOME_NET any -> [196.251.116.201] 2007 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508414/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508414; rev:1;) alert tcp $HOME_NET any -> [196.251.80.109] 80 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508407/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508407; rev:1;) alert tcp $HOME_NET any -> [35.179.100.140] 10261 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508402/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508402; rev:1;) alert tcp $HOME_NET any -> [35.78.171.69] 1963 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508403/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508403; rev:1;) alert tcp $HOME_NET any -> [18.222.12.121] 103 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508404/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508404; rev:1;) alert tcp $HOME_NET any -> [18.222.12.121] 2003 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508405/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508405; rev:1;) alert tcp $HOME_NET any -> [18.222.12.121] 34203 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508406/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508406; rev:1;) alert tcp $HOME_NET any -> [171.227.30.106] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508401; rev:1;) alert tcp $HOME_NET any -> [111.229.202.115] 8083 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508400; rev:1;) alert tcp $HOME_NET any -> [162.250.124.62] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508399; rev:1;) alert tcp $HOME_NET any -> [197.224.236.164] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508398; rev:1;) alert tcp $HOME_NET any -> [192.177.111.67] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508397; rev:1;) alert tcp $HOME_NET any -> [62.60.226.101] 40106 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508395; rev:1;) alert tcp $HOME_NET any -> [45.94.31.80] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508396; rev:1;) alert tcp $HOME_NET any -> [194.59.31.74] 17527 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508393; rev:1;) alert tcp $HOME_NET any -> [196.251.88.99] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_19; classtype:trojan-activity; sid:91508394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gkcxv.google"; depth:13; nocase; http.host; content:"check.saguf.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508392; rev:1;) alert tcp $HOME_NET any -> [86.245.253.250] 1024 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508389/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508389; rev:1;) alert tcp $HOME_NET any -> [185.158.248.206] 80 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508388/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508388; rev:1;) alert tcp $HOME_NET any -> [91.92.46.38] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508387/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508387; rev:1;) alert tcp $HOME_NET any -> [3.33.167.132] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508386/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508386; rev:1;) alert tcp $HOME_NET any -> [178.128.83.141] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508385/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508385; rev:1;) alert tcp $HOME_NET any -> [107.150.0.174] 443 (msg:"ThreatFox Eye Pyramid botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508384/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508384; rev:1;) alert tcp $HOME_NET any -> [82.156.255.158] 40010 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508383/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508383; rev:1;) alert tcp $HOME_NET any -> [123.57.143.3] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508382/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508382; rev:1;) alert tcp $HOME_NET any -> [185.43.5.227] 40156 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508381; rev:1;) alert tcp $HOME_NET any -> [77.73.129.82] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508380; rev:1;) alert tcp $HOME_NET any -> [196.251.116.155] 993 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508379/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508379; rev:1;) alert tcp $HOME_NET any -> [45.88.186.113] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508376/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508376; rev:1;) alert tcp $HOME_NET any -> [45.88.186.113] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508377/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508377; rev:1;) alert tcp $HOME_NET any -> [176.65.144.34] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508378/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508378; rev:1;) alert tcp $HOME_NET any -> [176.65.143.240] 6745 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508375/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508375; rev:1;) alert tcp $HOME_NET any -> [185.157.162.22] 59111 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508374/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"xstarofliught.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508373/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeda"; depth:5; nocase; http.host; content:"uzestmodp.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508372/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"check.qicon.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508359/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mfwtdajaeteirph.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsooz"; depth:6; nocase; http.host; content:"v0salaccgfa.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508370/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tikl"; depth:5; nocase; http.host; content:"newzeconi.digital"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508369/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wozd"; depth:5; nocase; http.host; content:"mstarofliught.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508368/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"equilltayle.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508367/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xawi"; depth:5; nocase; http.host; content:"klonfgshadow.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508366/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeda"; depth:5; nocase; http.host; content:"hzestmodp.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508365/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"7nighetwhisper.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508364/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsooz"; depth:6; nocase; http.host; content:"ssalaccgfa.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508363/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sagf"; depth:5; nocase; http.host; content:"meerkaty.digital"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508362/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsoz"; depth:5; nocase; http.host; content:"porcupineq.digital"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508361/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gkcxv.google"; depth:13; nocase; http.host; content:"check.qicon.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508360/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/5252-71821"; depth:15; nocase; http.host; content:"pastes.io"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1499069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91499069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geps"; depth:5; nocase; http.host; content:"xchangeaie.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508346/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geps"; depth:5; nocase; http.host; content:"ychangeaie.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508347/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeda"; depth:5; nocase; http.host; content:"ekzestmodp.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508344/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekd"; depth:5; nocase; http.host; content:"hznighetwhisper.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508345/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gksi"; depth:5; nocase; http.host; content:"cquilltayle.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508343/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytus"; depth:5; nocase; http.host; content:"7piratetwrath.run"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1508342/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508342; rev:1;) alert tcp $HOME_NET any -> [205.185.124.66] 8488 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508341/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508341; rev:1;) alert tcp $HOME_NET any -> [172.111.137.164] 3911 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1508340/; target:src_ip; metadata: confidence_level 75, first_seen 2025_04_18; classtype:trojan-activity; sid:91508340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiymwegwkgciueii.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508332/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymyuwcsaaggcqgow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508333/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uewiegwoooygmque.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508334/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcaiwcasyyiwceyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508335/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igeegcumcuguoigc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508336/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cucwocyygmogycsw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508337/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gccwgiaugessggio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508338/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqacgigqgogmwqsm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508339/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oswgccayuoykyaqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508309/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igswqsomogwsocaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508310/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cugmuiyimswecamo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508311/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gckoakaukwaouaqo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508312/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igaeuauegoccamsw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508313/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuukewkuwosuaqew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508314/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mokgskygoykeeyge.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508315/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oscwciayookykuui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508316/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiameyycwoeaiyqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508317/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuseqcqyusiomquy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508318/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuiwwcueakomkqec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508319/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moawiwamwosgkkms.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508320/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuuacksuomockaoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508321/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymwgggwgiyseawwg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508322/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moymaieyiamucwgu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508323/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwcuiuekckmeqooi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508324/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uekgiciksooamicg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508325/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saouwyammcwwiacq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508326/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqkemcoowmieoeiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508327/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moaoqwiikqckoeck.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508328/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwakscmyeiskmmkm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508329/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igmiamqeemuqgaiw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508330/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igoykmouqokssugs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508331/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqgwkscqekcygoee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508287/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uemsauugkmmmwoma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508288/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueiicyeakimqmous.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508289/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gceeaikesmkoawiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508290/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymyywwmmauqiwukg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508291/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cugkakwsosqyewuc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqiwmccesmkaiwie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iggwgogcouiccekw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymoaqaoiquegkkai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oswgackesyqewuum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcwqceciwagwocca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508297/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwoeowkiuoquegkg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508298/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuwayycoemgcgkam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sakwymymuaiaoiac.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqwgyomoiocagyqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508301/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqqsmgsasegkwcwc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymycuauwuwskygcg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moiuismkowqwagis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqsqaaousyqwksiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508305/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqkgayykaaimuiqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508306/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uekisgwiimumqome.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508307/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kksyqcmcmquwuues.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508308/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykgqkkscwyaagawk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508265/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieoqiieommymouco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508266/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qusogcmkmwisuqcs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508267/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucmgauwywusyqigu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508268/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiimyoygswoikisc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508269/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quqqiuoukkauyeci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508270/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmeeyeooqiygmigu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508271/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymmiywmaqciuaccc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508272/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osgwcswoymoagswe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508273/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqugiaoyqwegeagu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508274/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiiassiakqgqscug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508275/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igosgqomsimekswg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqwyuimycmicgkwg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508277/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkycssucgsciecai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508278/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueaegauwgueumygu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508279/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiieisakmekcmuew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508280/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mouamywwowqcoaqe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508281/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osmeqmycwswiauiu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508282/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymkwegcyiwewqmow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508283/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mocmiokaakacosmy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508284/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moawqqomekeyskck.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508285/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uekyocaywqeiwsii.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508286/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uciqysqecisumowc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508243/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iegoecuwycskaoiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508244/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykwocwegikgosuwa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508245/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmikyqcosiecuoko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508246/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gayasqiqqikickag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508247/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmqecyemmwucmyom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508248/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieiokeiuegicgkys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508249/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmkkuqeagoaasygo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508250/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgweqweciooeioke.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508251/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quqwasiyuqoymewc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508252/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iewiwuawkoyqikoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508253/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sycgoagmscioiiae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508254/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucmuuygiaekimyag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508255/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quemcyooqqqmaqmy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508256/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csooseywiqmuuqiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508257/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iecuicuiwmkwqomu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508258/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kicgmumqqgqoqoue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508259/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewuuymkkyaeeisum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508260/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewqqieocgwwmomqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508261/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqwigeugcocgakco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508262/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aosgukgwukmmosia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiuiagoieiiciqay.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508264/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiugweqwiiioissy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508224/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewgsicqiwgsmiiwc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508225/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgsykgmwwaywaaie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508226/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgkcmkoiuyqqsgiw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508227/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qugequmyumyeiyqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508228/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gacueqsequaumywc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508229/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgeewcgggyqkmsce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508230/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sykwekcwuwugsisc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508231/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmikiwuyawuwyyow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508232/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewucywsucmquqmse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quoggauyqmoyiwoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508234/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syaguggsikkiwook.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508235/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csuyeuukegkisoye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508236/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieioyumsgoueuock.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508237/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewagsgkqoqugawgm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508238/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewmuemookogaokas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508239/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgiskoqkgqmoquay.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508240/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoqaiaokyiuegeia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508241/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmcuyuaeymceqaym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508242/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykwyukgkegmwmqqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508203/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"queuwcyasgkoqgkc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508204/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aowiyigyasceuwgm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508205/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmcwouwyywwysyms.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508206/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csaqgwowiaceegeo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508207/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewmmocwegkqwiiyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508208/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csuoogqyeoqeukeo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508209/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uckguiseigcwcuwc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508210/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qukymswcgouysuce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508211/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmcmiqyyaqyiceyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508212/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykmkyywomycyeqsu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508213/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cscigiiauecygacw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508214/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gagqyesqyiwyucug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508215/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmqsskioiigqowmc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508216/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aomqiyakgkyckgeg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508217/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucygcscekiacwuuo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508218/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gascoeyumuascyea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508219/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoqqicgyqieokysu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508220/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgkqwosakeecemgq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508221/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgcoqsgicackucqw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508222/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgumeqqgmqwmioki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508223/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaeswiiqeukusqim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508181/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gagaqukueqcqwmis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508182/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieigicowqwicmwse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508183/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiqckskciuaewsgo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508184/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykwgmaaiciaekwww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508185/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucgmeismqmosmyya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewygwkwweomuqcsi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508187/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csysemiayskeiuiu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508188/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csieysisekyeuoua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508189/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucamwuckioaequyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgigkmcqwacaiaiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508191/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoswwegwaoomcemm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508192/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wguyccyyogieugcs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508193/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cscwieieomiowmic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508194/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykescamuyusuikew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508195/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aokuwmyqasuquwig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508196/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucgcisokgkcogmkq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508197/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmeokkuwagisyqai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508198/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gasswmuoawamusec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508199/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syesiyacksaiamsa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508200/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewewuwycwwossqyu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508201/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uckguqwwuqiaewqu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508202/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewmicecwmimqesuw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kikiiamkweuocokg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmmwsigsaessysqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiuamiymqgcacauk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewyssykimeauumcw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sywiwwgycygmwoqe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iemwaiwagegwqmec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmmyyoseoeugeqgq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaqicaswoouucaeg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kigcaiaiegswqkwi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgmesyuwmoamoecm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csusqiissusawesw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmysgaggaykykqcs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iecimagyyqiksgaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508171/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykocqqsaqesaawai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508172/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmimmwiewcigyaqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508173/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqikkmyeuwqkwwie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508174/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iecsaioisugyaeug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508175/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieogmaccykemsiua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508176/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kicegcqeckuaokwi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508177/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmceaummyuqyacak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508178/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqqwgyoqscekewoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508179/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewuqcwakyussqywu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508180/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewsioiywkeaaakyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qucmcuuogakegmyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqcsywqakggiqssg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewkmkmucgoeasawm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmoiyaigqueqyeem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kieusicqskyussgs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiioyoiiwugkuuaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaoskoyaqsicqyow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wguswsuoyogomamk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucmeyeoyeaywqwcq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqikeosccmeoguma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoqisesqiqayyswu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqicqgwqsuqacaks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iegekacuoskcgeqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wggwemkoeyqyakqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quiuwsucwaakmayg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aomgyksqmaksqywu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqmisckmgiquayku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmqiweuucyoaqoku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmieauyqwkkimkqw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykuqkskiqgaimywu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sykseqscieekgksw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewgygyckoeeegmqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aowqqsuqcyoeowme.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaewgmsasmegemcc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syokwuaooqscaycm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quyymgkucwscmkyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iesucoucmyycqumc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508117/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewokksosmwyowekg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieycukigeewgsksi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiesacgyaeokcmma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quageewiwmgkkyko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csgiuygqsauegwgw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uckouwkeoayaqksm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaagweqskwuwwyco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykyeksqgcawusmwc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quiukcsymawmweuu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgiyeqsauccesscc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiaeemcumeqycoqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoicyemkakcieamu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieauoikqwekcouyq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uceysyomgiyacsgc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewoymqiukkksigoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aokwkcigemkuqyss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewisocqeiuoyokcw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewuwuiguqsomssaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewqqiaauwomwkkmm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykkmskesemamkcyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmsousakumwcsiaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgamgaucoukkkqoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quiwiauuagukgaco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgqiacqkccigooiu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sywqgwowymsqgicu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieasoeyciqasyiyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sykcgsauocmuammy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wggcomqueuckyeky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uckgmsqmyismqmmi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiyycyyusimammoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykqcsmmycccuagoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewuqwuowaucmciqo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csgiciyeqkswscyu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quiimyseockscmik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoeumicggsqkoaig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykuscquguywauwmy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiooauswiqoaicqe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiagqogcwugsqigg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewcqqgaumwuyewou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewkweyokokcseqwe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqwsmcmkmumgqoaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gamiiwcmeciuogcy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykgewgmogeyqqwkm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iesmqgiyqyqkiies.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iecgeugiiugmcuag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508070/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiiggiooqccwaqsg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508071/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykqokisyiygqkuou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqqckeguwoggisea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csyaqueeeaiwuyas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qucgiuiseamkesiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieksauisemykeccs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qusuoyukyckweswo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiccgqeieuoqmeic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csgseuiqcecsakyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiuaccykgomaoomi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqkmqssqayimyosk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508081/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykgockqykocemquc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gakegmkiceuoieqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmueyciueioeqyma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgqaqiciomaosksw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucioygyaokeukgqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewiiqikiwygumeuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoqguucgeamqeiks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoaigoiaycamkoyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508046/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aouesikqiiwgkuqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508047/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaaugyesuwauksyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508048/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iemeikcemmsokcuq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqwyiksimsocokkw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508050/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sywoiumgkamueosi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucqkeskggiyyukeq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508052/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmmgmciouwscsauc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508053/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aosqoakkmeoockuk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqsgemkqcycqiywa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmqgioewyqcasgaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508056/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"symgsauauseccswe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quyyqmecciyowweq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csagywqqcyscweam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508059/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmgaoeyaowcsosce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508060/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgaugyegcsqcwmim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiqwcmkequwoycym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aogoasoamokioueq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508063/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiymqeomisemikae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508064/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"symqsmgswywskaea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508065/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syykscwuqiqmioce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508066/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syaoyaysiwqiayos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieiugcqyamewweau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508024/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmyiceaoguaqossm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508025/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqmmyscymgysgaws.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508026/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uciakeeueascweoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508027/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sygoqwskgykeeoiw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508028/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykcomqwkwswkcisi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csuooiwwuwkcuqim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csgqyicuekewkeke.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmskoeuikwgkmims.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"symsmmgiauosscqo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508033/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmuysicikgaosqos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508034/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kicgeaqquegckeoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508035/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmuykgiaameiouai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508036/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqoymsaigekeuiyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508037/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmaogiwiegycuicc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508038/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoaomaqyomqmaysg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508039/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wguwoouiswkamkce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508040/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cskuwowuuikogwcm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508041/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"queuqmgkgqccuywc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508042/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykskyiscasumiswe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508043/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykgsscwykowkgqky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508044/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewcemieyuukocqcw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508045/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmkciuqmkuwaiqcs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508003/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quqiyimgkweeoiki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508004/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iewmegqkocueyimi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmqmsyoiikksqgkc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaoyasosiigemauw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yksaycyoyimmuwcs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmeygcqaayciqumc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kigiakogukesomsy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewsewegqyowmsqiw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykeugucgimscwigg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgyuaiqiummmuwoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieeyaumgiaiiowig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508014/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieaecewgwyuiwimk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508015/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewymugcqyeyqkwsy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykmwkkswmcuooygi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quaawagaoacmosai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quuiuaggmqakweew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kieykemyyyggkmsk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kimaqyswgycmoeqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieoamwywyaommcem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaqkgaaqagwwqmaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507981/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syciicgkkasmgmcs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507982/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykcsagmimukaiaki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507983/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syqoeasoqamwecee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507984/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quywwiiagcqiuoyg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507985/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykaygkiqacqwgias.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507986/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csgugaewukwioeug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507987/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgcosmmaggauqioi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507988/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaksoygsogkmkwas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507989/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewwskuggwciwyook.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507990/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csgiissaagwuisgm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507991/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiecqwqiummsemuk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507992/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucouqoykasoeaeok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507993/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kioqkiqkmoqwqquk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507994/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykaiemcqqqcoysom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507995/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgyugkeaiiuyyeoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aogwgkocoikcaama.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507997/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csuicgaskumwkeiw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507998/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoyyuuaggmuuwccc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507999/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykkoqkeiyyygyosy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508000/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieceieceiwyqmcog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508001/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgosewemaumwyaei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1508002/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91508002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgswcqsamsociusk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507961/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iequcseewkaaqgue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507962/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiwieckwukiqeqgw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507963/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmkagaqseiqemqsk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507964/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoiyqiouyscqcske.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507965/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqwwuqwuyiywcayq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507966/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syyqmsqewymwaaum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507967/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqqmyowwsiaowqua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507968/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aocqwuoiyeawwgww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507969/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgimwqcecyeqowmy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507970/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmugueiekeikyeum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507971/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykcmasqsayeqqeey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507972/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csuieewukgkyaeya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507973/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uckyguwwmugcuywm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507974/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qumueweuqoeiqwau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507975/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aowyqmyqeeokmmcs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507976/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yksimamkugiawuio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507977/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqqkskikcwaoakic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507978/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiyiuqsouyqomqos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507979/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmuscceseomoouok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507980/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewooiuyaquoyumai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507940/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aouqgwmywmcsasyu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507941/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgweoqqqyegqoask.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507942/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewuaiuqseqcycsyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507943/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uccuysuouokyguoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507944/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmuascuyaqaygysy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507945/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmmisaucumksmwwq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507946/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csagicqcycswkeyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507947/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgkgqkywsykcswyq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507948/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quecugwwqayyekoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507949/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aousqgcwsygawogu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507950/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewagwswksumwagya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507951/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaeekuwuyuweyqew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507952/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syiewasmisquugsc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507953/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmwwkocykeeqsgwm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507954/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uckykaaiwauegmwi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507955/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaiacsasywqwceak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507956/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cssoceicewqkcuaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507957/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmwwaeqassksoysa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507958/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmeksaciqqokukuq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507959/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kioyqiwqwoiiskoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507960/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewkgyuoeuueeaasc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewsksscyequegges.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieiqwcoakyikeiwm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kieokywuscqwsqgy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kioukwcycswoggqo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507923/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoysykaokuimkgky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aogoiqaicssmswya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewkeeaqscmeaccmg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cseumeaugwaggems.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykamqgeycmekewaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aokukkkuquaowyea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewgmsyyweesogsmo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syoywgqyekekguae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507931/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iegqaewqiqgqooug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507932/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewacaguyoweiskcs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoeiccimsayaosma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507934/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmseiiceegoogiio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmwcyyiqeqiaqeem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"symugsgucgwomigq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewiqmkyegosggogo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507938/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucuoeaqksgcowmms.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uckwwaqsmyogagag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507896/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqgaskeyeaksmumc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507897/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qukiyyssakawocss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507898/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmicuigsaeiyqmsq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507899/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csiemsuqeoecmiqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507900/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykqmgggwgmykaqqe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507901/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoiimaaccmeuiquk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507902/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syaugiesokeyquay.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507903/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaomasmowommuuik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507904/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmaimmccoukwskuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507905/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aogakieusekquaek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507906/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqusyeaiygyoocqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507907/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaesakwsegeqkggq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507908/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csiuyuiqkyymucao.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507909/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgaioieuoiemsmuo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507910/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kisoqekyiaaamkwo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507911/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aommgikuuywyiygs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507912/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quayymacgsuyiyew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507913/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykssuimuucoqmmie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507914/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oquyewwiwscwkuec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507915/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewuaysaqcmoomkue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaeaoccqqeswgiii.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iekmyigsasqmacik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wguomaeaiqygsqkm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507875/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucmsocmiqgkiykoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507876/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quuwqigukcuqksmw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507877/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csmuwumqowqmgiay.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507878/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uciiiywsswsomuou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507879/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgkoyswgkeuoeeia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507880/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aowuosuawkmoiyom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507881/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cswqamuimwkoscgi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507882/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qugygkoqawscqysk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507883/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uciiiweyuuwqcmia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507884/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucsgmsamyeoegyiu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507885/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewkwswugsksccsue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507886/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykucukaqewyummok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507887/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewqmcowsggqaaoii.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507888/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqkssuuywockiwqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507889/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucyqoseagacmiyqe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507890/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iemwesmycyyayeiu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507891/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewoamogesmcwisgm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507892/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqakywuwosceccks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507893/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqsmaqokkoqgyaew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507894/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqyguiwgyoqcwoqu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507895/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sycoaegmcuisuuww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507853/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kickagsiycowqceg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507854/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syecwmoygsweumcc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507855/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgeeauoakcgcqmag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507856/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucmcggaiwqaeouqu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507857/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quaaqugoiuoqewck.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507858/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucgyqkuqcaumecus.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507859/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykyqcecgmiosccqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507860/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykmeogewcsewcoqo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507861/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaeuoakmiuoowcqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507862/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csqiwmowoimssieu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507863/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykqmaqwsowwwmmcg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507864/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sysuggeoggaguuuu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507865/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucmomgeuowccckke.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507866/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgammiioewsoegaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507867/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmqyggoaqqacimcg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507868/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wguqueyqaqkuagqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507869/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewkiwqgguawemwsi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507870/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykscuciiciomsguq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507871/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cskiueosweuysuay.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507872/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wggkcamucemaqmsi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507873/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uceukuyyeuymacmg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507874/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewiuqiouqiayokue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507831/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieockgaomseisegk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507832/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmgeygckeksquuqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507833/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uccyoekamqawaokw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507834/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiisiqgwygoaqwew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507835/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quskougswsekgmqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507836/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qukwswmmuyysqmew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507837/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quyyouoqyokgccwu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507838/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wguuasugacayosmu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507839/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucgcoocsekmqkiau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507840/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kisaywqsmcyciome.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507841/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kicqwkmqwewgyysu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507842/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kigqmimkemaecagc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507843/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucgkwyamkyakqaoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507844/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gawmikookqgouyoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507845/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csgueeqmuuwokusg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507846/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syeiokgygkusswoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507847/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiicyqokqmaweaca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507848/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cssoissqqqkwceqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507849/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmycuqueomkgskaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507850/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oquceaywqmiqmecs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507851/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaeqeicaeuycgmai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507852/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiycokyiusqqgaya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507811/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gauiuqiowkmmuqcw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507812/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syawismkqsmaswsc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507813/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieoiwowmusmyqyia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507814/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgwkwgwgckqaugsk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507815/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quaqmwgwgyiuyqug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507816/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgoowocgegeymgqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507817/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgsuemkcqggegkce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507818/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoouyewgusgicece.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507819/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgmmqekoqmokicse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507820/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaomukkegqgeoei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507821/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykiuqieaaiogsayc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507822/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgmgooceoicsuquy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507823/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syykiucwcewasqsw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507824/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uceicwqagskacamc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507825/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmcqcsksswsiowca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507826/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqockomkokocueww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507827/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syqwwyuwowyciowm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507828/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uckuwosmgekcquyq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507829/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kioemmwceuyeoqkc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507830/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmasiquuwgycmoqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507793/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cskciyuoscwceeqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507794/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewkmycesqgckuosi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507795/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieqykkgmuwuyqyce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507796/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gameqeuquikwosyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507797/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sycqswsyemwcoukc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507798/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoeiykcascaokmok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507799/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykqkauyiwayswgey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507800/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoysmuawqaycisgk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507801/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qugkieiscqueekey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507802/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaskgiukwssyyuec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507803/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmqegqayiumiamyq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507804/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewmgwwgwaaeugsec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507805/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kikqgqesuicuoyks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507806/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucqymccmuciyigku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507807/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uciiycqwwesoioqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507808/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgsyocakiksgaikc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507809/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqmyygckqysewaqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507810/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syckyyesayyguggs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507773/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gagawoiogueywesk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507774/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csewcgasgeicyyqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507775/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quqiisskucuuqwoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507776/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quuwosmwswgqimqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507777/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaacgewukwwuqcys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507778/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykmegequswymcmci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507779/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmsqggsecakcsyei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507780/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiuukcuaewymomuo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507781/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaaowigwcsseuowm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507782/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqkegucgwosqqwou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507783/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kimggkycucgqqasu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507784/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiyukwcekksyuiss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507785/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iekaoiqmyeookicy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507786/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucaueqqskyaowicm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507787/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sykwemgawaqguiqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507788/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykymcukkiukwgawg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507789/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieqeymqqokmyikco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507790/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaqwwwgmyysgciyu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507791/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uciyukaaaocwksia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507792/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csmmwskkiwmguguk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507751/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qucusiqyqgwqyiko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507752/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykayqusoamykioak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507753/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aogyaeociwkeuuea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507754/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gammegywsmgeaouk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507755/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iesiowuoiaeugogc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507756/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgygimccekkwkcwi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507757/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gakiccocyicwgmmk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507758/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quakosesccmowccm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507759/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quayycwuqyyoumcm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507760/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cssqgwkcuueqcukc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507761/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gakuouuaiqekucqo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507762/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aowayikieqmuaqeq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507763/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qugsaykqikymkmqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507764/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quiyqkkgquieogqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507765/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gacwguysywouqeum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507766/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaeqckieguowgaeu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507767/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aowmseyeayogukuk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507768/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewwoiuwkegyaoeam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507769/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykgaekocaaqkawwy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507770/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykmiqayquuaaekou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507771/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiskgoacqqqoisew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507772/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykegyycsmoyooskm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507731/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kikgssamgecakgcy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507732/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quuwgacwiaecamgo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507733/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqawwmkmqcscoeag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507734/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieacwwaumoiqcqqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507735/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kisqkkecsuycqksw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507736/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quyaiyumumuqmcig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507737/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmisokassiycqyse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507738/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgmyuyyyasokasws.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507739/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gammucsssukmciuw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507740/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaswwyqsouukgui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507741/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gagiqwuwgguekgie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507742/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykmegagagwuoqyik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507743/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uckogmmsccmekcqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507744/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iemcwiqmkisacgyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507745/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoakmuakkiqgouui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507746/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sysucgyowukqkqyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507747/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kigygkyaugggcyou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507748/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoosuwkeugqaeweq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507749/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoqwysguwqowoksa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507750/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykgqmkmokgmgecyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507710/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqciawiwigkoekek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507711/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aocueaumwcsuewcs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507712/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iekasskciccomcsy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507713/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieoyckiecygiumsu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507714/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewiqqcgsiyeoqykm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507715/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoammaqckyamewqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507716/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gauuksiewaawcmie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507717/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgwmcuiowekgccsy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507718/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieouiaugcusqqgii.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507719/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucwuygmocgqyayua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507720/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aosowyukikooceaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewoomiqqeoowgwwq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507722/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucwqgyumguayyyqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmuueyegmuiewceu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507724/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmiqmuacmemieaoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507725/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gagesawgmkykiqau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507726/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iemkmseigwimiaeu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507727/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syecamugekwcuaqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507728/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cscegymyasyycoqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507729/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmsysccgmiqwqwia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507730/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wguykmqaiuccmmuk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucmeomqesgykosgc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaqwcaccyqwuaugg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507691/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykumqeeweeqwaoem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507692/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aowkswekesaqoaye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507693/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cskwkoqagqicayqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507694/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaqouocmygciwoaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507695/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoggkwmwewmciwom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507696/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiwcgemqigyegmyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507697/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgwmmaooqykysuyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507698/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gakqyssqgewwksec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507699/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sygywaksgyyasuuo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507700/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewwooywiouykqsue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507701/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syueuieygkquskeg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507702/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykymecqycygquico.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507703/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"symyigyoqommswmi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507704/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykguggsoqkyygsoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507705/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqwygacsoauygguu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507706/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gawaoycouqkceigw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507707/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aomggcoqukoeoauw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507708/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewiqkgiqsuwgkwuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507709/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykqqiugmeuyyaseq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507668/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kimcmiekacucqguy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iemwowcusimswcyg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507670/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqsqswumgkyeqeyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507671/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kisieigkciumwawo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507672/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykcmiyquukucouou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kimasuumwoiswyga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csecukeeyseqiiua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqocskkcsksioaqo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gagukwioqwkyscss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewcewaqaskigemqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507678/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iekysemkgaqsgeew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507679/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kigwsyimgykmgwuk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqamwgewiqcukuoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quiyikikoawkqqou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucyquiioiiyuksei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csysgsuyaaoeqyge.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaoeuqqwqiauucew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqcuwyqocmgamose.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewmwqymewwkooewa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieywuikwgywkwcoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucqoeequmauskeig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiuiyeeikausocuu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewkgikeaywwwaqma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qukaaawkegkwwgcm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507651/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqqmgiaqswweywim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507652/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaokwwmwummauqgw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aomykwawmkukkqkw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quiwawqosoqsogis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507655/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgomsqimgscemegk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507656/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoiiamksmcwmwcic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507657/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syscgskcasiuqyeo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507658/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kisggawoigssykuq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykweqiescwoogaae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507660/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaqoucioikoagkgq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507661/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucugsqcascsyuwic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507662/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykcqqsceigqgsgis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kicuiqkocywymkag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgagcwqmscocgeoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507665/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoyiokmisugkwckm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syagyomykkucimcc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507667/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewqyseqecqaeyuww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykkuikmkygegmcim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507647/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gamucaouqcegiqqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507636/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewsasuqkiogoaisy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507637/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gagssmcseiyoqeqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gauiqowgckmyikig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507639/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqqiwgyqsuywyams.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507640/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaccmqyqwiawgwsy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yksocmkouqigwcis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507642/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gameaekcwuwuukgq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aouqwkesqigegsme.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiaygwowemaqyskk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kicemwiaemuosyye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507616/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmygaswqeiaswico.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507617/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmasymuiswqiqoww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507618/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgocyqykwsceeayq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507619/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gawuceseoagmmkwu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507620/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kisosucaaiqicges.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507621/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syeugiywiysioago.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507622/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaiccwkusoeocqoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507623/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cscwmgmuisikcmuo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507624/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieuoyqkcoomekwym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507625/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmeakcqcecwseuiw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507626/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmqmugcyyqkicawm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507627/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiugaqamgmeoqagu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507628/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiygsimskkuqgsae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiwmeseueimuyoyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507630/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iegwmcmocswgkqae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507631/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucgeyqgggoikekku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507632/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoqeqkauiscoeeaa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507633/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cscaioawcgkoqcag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507634/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quuqosgucwequkme.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507635/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykuqcsiuwoeqgwga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507596/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykawgguukyqmikko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507597/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmmmeyissiyqkmgq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507598/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quiwmawaakyuacec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507599/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykouwgsssiymkyyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507600/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucqqgkykwwwqqecm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507601/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quyacuayaiamamgk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507602/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syoqeyuyieyocoga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507603/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aouqmegoiaioamia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507604/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uciuaugcogogmmyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507605/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiockyomwiiwcmgg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507606/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syicawyuuucaooqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507607/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykicuioysigqyuco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507608/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaqymmsiuksmgcyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507609/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaqgawqgisgeweq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507610/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewmgaqqwmcisuugu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507611/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qukemyqeiwowuuyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507612/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syckcygousaecaku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507613/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqqcaaeugkwwuqka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaywusikeoiqoiyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507615/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaskewkqkicyqsgu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507576/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucqiqoyykkakgwok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507577/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iemgkoecseyuyyam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507578/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csaqkyamoawwqwui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507579/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gauykuqqskqysqsi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507580/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaeqskamcaqyumgq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507581/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kieumoaskiewkiky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507582/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewwowgoomqwoesei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507583/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykcisyysccokmume.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507584/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gagikamsqgamuycw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507585/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqoqeymogywwccmq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507586/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iemacyyckouqgmey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507587/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucsugisekeiuwksw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507588/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uciakeaeomgeoceg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507589/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewksaqaweegoycsu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507590/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgakieqmgkmscumi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507591/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sywmkiqwiaiweqyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507592/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qukkuqwqycowuowu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507593/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucuucamewqecsciu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507594/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgoykgwagiicsqik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507595/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gasiwwieayegcuwq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507555/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqkuakemocwmcuww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507556/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewoaeukumymiakyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507557/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csqiqgigcsuqwqqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507558/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quswacsmaugemkao.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507559/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykwiimcwgkmqcmsm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507560/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgaiuqwisugccouc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507561/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiqmeoaqgoumgcos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewmiqeoycawuwmwc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507563/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oquowuwmyskoqoqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507564/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucsmaaueoyyaqcee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507565/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csieaeskemqmasgw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507566/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewcsysggumiiaosw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507567/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqywkwqmkiosoeig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507568/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kisacakcewkyymse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507569/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"symmsmsmgqeimwia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507570/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quugwqaqwauiyuqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507571/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqiewgciyqkqmuus.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507572/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cskaksqiksimyaga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aockccmoescyqeee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507574/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmgaamukamceokuu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507575/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewmuwyiymiuyiggq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507534/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqwmwukommcmiwia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507535/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgqygygwaegweooi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507536/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgasyqqkswugmaum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507537/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syysgmykawogykeq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507538/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gauauumgukeusaoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507539/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykquwcuwgaieiuqe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507540/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewikiimgiqqouwcq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507541/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmggamwqeeeeosmq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507542/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csuoaagecswoummy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507543/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"queikauuaiiokkmq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507544/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykeciikcmgoyaayk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507545/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmiqwgqsoocuumse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507546/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewcekgmykwyiwima.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507547/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csgweisemoguyqwg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507548/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csqgigyiyyiokgku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507549/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieowgaqsmkcmsgyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507550/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiceeowaqwmksuaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507551/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cskwoeeoucwcicoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507552/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sywsisiwusewwowe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507553/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmosqosieekqmewk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507554/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syokmawmasyosoic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507513/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aouukuggkcasoggg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507514/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gauwcaykiikcikoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507515/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgqskiyouyqmwggk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507516/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewoymukoqumomsiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507517/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uceaguoksyicmeoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507518/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykwcqakqeweguwua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507519/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewgqeoykqmekugis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507520/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sycscgeiisikoiic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507521/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"symawycsqkkygeoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507522/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykiqiissqkocsamk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507523/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uccagswyocyksqqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507524/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quioukscwiwcqyew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507525/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykmwqywcauieuoia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507526/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucwgiaywmgmwcmkg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507527/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ququwuayskiscwwe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507528/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucsiwuyciwmiacsi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507529/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykguqcckyymmcgmg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507530/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gagumueuekyukwsg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507531/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucwqcioowseeosyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507532/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uceowmeoceiewses.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507533/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iemaaaiqcaywuumk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507492/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiiksqyguamkosis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507493/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieyomocssuyqiuyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507494/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syaskyuukygwscms.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507495/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sygisekeqocmakci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507496/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykgucakqqkacssuq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507497/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kisasyoikkkommyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507498/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewmmegqsuseuueyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507499/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewyqoawwaauuysim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507500/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quaycmwuuiquksso.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507501/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqeesmqcecqoagss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507502/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csqasgaqoaqmugck.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507503/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gasyisqmcsqsikim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507504/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiaamoaaakamkkas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507505/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewqmkemiqsoyguse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507506/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucokycugkgwymowe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507507/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqeiuuouqykkwess.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507508/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cskamaoqoicamqke.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507509/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gauguacasikowkim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507510/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qugusiymkgsomuea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507511/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykcyayeauskuwuos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507512/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csiymqimimoakogo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507471/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quomgwmiqmaywyas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507472/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaqccqqoaeokmymy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507473/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiemusacsmuwagqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507474/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqkmggowyoimimws.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507475/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quwossgkakoyskky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507476/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiauyqcuwmsewgoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507477/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syaioyqssswgqsck.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507478/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iegeomsiseeyeqis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507479/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoiqcmykwyuummus.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507480/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kismqqoyuwcukkig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507481/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aosaaommksmgmwce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507482/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgwcsmqqgiccqiem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507483/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaikiicyaekuiwsm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507484/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sykogwieomekuqkg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507485/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aogkgycskiqugwyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507486/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quekcmmaekskkyuc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507487/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cscskmomiyiuoicy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507488/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucayouyiisomygaa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507489/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiuccwkwikguksau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507490/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieesuwukigqieyku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507491/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iekyuiwkqmasgoea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507451/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykoigemuywueueuq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507452/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqieagyoacumuugo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507453/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kioocmwcayyemsko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507454/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uceoouucyygiuwis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507455/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iegyaquwiiuouoks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507456/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoacukiekoeueoek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507457/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgyoumgsggqoooci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507458/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmqammuoqawuoiqo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507459/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmwekqseiqiwkmqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507460/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iemimyymscscwqgw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507461/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiyswywqgeawessk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507462/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykimimawmgcmocga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507463/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kikawaeoomeksaky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507464/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quyyigwicikwmgmg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507465/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csgowwascguoywim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507466/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmomoomymieqiwoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507467/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quysyikioscywycc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507468/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cscoyksmgikceius.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507469/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewqsiiukiammgkuo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507470/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uciysyyakyaqmaug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507429/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iemqsmeyyosewuki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507430/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykkawkyeaoaykwie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507431/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmcuaeusckkiqmeo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507432/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiumcaicmyouqeey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507433/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csmqsuimaeggewgq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507434/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieoqomowemkwicoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507435/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewgkmsawqkqukswg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507436/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kimoakmksuumcsmg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507437/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aokkgcaoqiwwgkqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507438/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgagueigmkqiamgi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507439/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qucsquiuykggiswy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507440/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgeaqkekysmqmqya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507441/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qusyauoogucqeoio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507442/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykioisqgywcwages.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507443/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gauoysmyiqsiemyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507444/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgaqoawyieyiuogw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507445/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieuqceksacugmcko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507446/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syiyusmcgomciaqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507447/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qugguuskkoqsyoic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507448/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieuaqmiesseguoyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507449/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cskoywwywawwgcwc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507450/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cskyigomyyqswosg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykooiacaesegseeu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507411/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykmsuauwuccqkqay.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507412/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aosguokweameoocy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucaayoiwosskmees.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507414/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syoieqqysiwayawo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507415/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieumoeuuagyuimio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507416/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqgkqiuiokayswkk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507417/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiwowyoousocgsea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507418/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qusygoskeioggmgw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aokgsokuuakeecku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507420/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quiqcwgygoiekwiw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieuykeqgiymeskok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewmgqqqoakmgeioa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wggagiawskqqsgkq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewmgygwecgeiceuq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507425/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quiycsgiwmoegyum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507426/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quseeswakauguucu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507427/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgioiayuyosqeqqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507428/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gackoqokskamoeyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uciwigawammeygmk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uccawkeqcoiouaii.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iecmgywowgyyoema.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kioekosgyieseiqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoqssscmgqyucigk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aogwemgmayiowwcc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucymwgmwkwowyyuc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqkckosgokguggkm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cssckmoyiukcuwqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmiyqqeqaqocmgwu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykauymuqgieeaogk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507402/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kikqiwycekqysugk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507403/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoaqkmyuucqouiak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507404/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmawsegkscsikgas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507405/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgeguieamcwqiwie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507406/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieokiaggweeuuyio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507407/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csygwgqcmwaqauaa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507408/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmgugeuwacmmkwom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgwiacqucsoaywuu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507372/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmeiwcewccksmwya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507373/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykykackmyukekico.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507374/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieoquaiccwayiccy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507375/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iesiimgmekqumwmy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507376/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykiwmkwwyaygauea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507377/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgueocqegcsaikwk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507378/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiskogykyewuyuca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507379/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syeaiqogekyiycwa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sykcyisaikumuwsk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syiyeeusyqceckee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507382/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kimwiiioucommgmi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507383/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaimucwqqaqioquq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507384/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmusuumegcigekei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507385/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykaoyuwoakiuquqe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507386/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaommwseogqykaqo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507387/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmsocckcikkemgkc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507388/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewgyigymogyekaqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507389/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgiiywoceycumkog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqkuewekkoosiikw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507353/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qukssuucowwmwgue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507354/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewqswameysamwisi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507355/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gagwamsksssmguym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507356/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaaqygkqkyuugicc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507357/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgkwyoacwsacsymq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507358/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykmyiymwqgwmccog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507359/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgmccamyomciekge.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507360/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaskusggqcmagimo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507361/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wggsasyksaywauga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507362/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quuesgkuiqsogqgq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507363/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykwoqskuumggeuck.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507364/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmyceusiqmmaqawo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507365/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gauwksomiyacmgyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507366/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykmkgyouqwaimwac.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507367/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgqkgqiaqemamoge.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507368/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgeswikoaywqgkuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507369/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qusmmaqqmsaiogei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507370/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quuqsowwccosmyky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quiuuwkwewacqsua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507334/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqciaqqkkocumeyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507335/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quskcskkskaqccym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507336/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoemyciauokumqca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507337/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykckasqwymwgosga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507338/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykwmyeiyceeiywuo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507339/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucqkcwqqmmwqkwwm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507340/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykwgecccquweesoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507341/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gakawokuiescgwuw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507342/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqacgqyiockqisgk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507343/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"queuuyciqwmkqqow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507344/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gassmucqmcecuqcq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507345/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iecmescksmococuo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507346/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucwsikoiqccmqiye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507347/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiywsmeawocsicui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507348/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csqawgqswsqggimc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507349/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaiiasksgycacmkm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507350/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syegkimkoeaskgie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507351/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoooissgocyiqmas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507352/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csgkgqguyyceikke.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507314/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgiqkkmqqwgekqeo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507315/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgysuusmwokgysqw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507316/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quegogcqooeemoeg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507317/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgemyeqaumsaimqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507318/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syigumkcoegqkgco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507319/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucieqwsswkwmgegy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507320/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykaowwaqggcusyiw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507321/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iewymkmkuumiaccm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507322/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quoiccseuumosmmy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507323/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykgssiuouqmkawoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507324/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aogmqmyakoykcekm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507325/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aogkmysqmaqkksai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507326/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gacyockwmekwymuw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507327/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykeykyeeqmewmqqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507328/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgcgmkmeiuowcmek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507329/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmeqwaayygaicucw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507330/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewkkmseiqowuqiaa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507331/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewyagqouwmmyocqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507332/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykmgwkcaqameyqsy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507333/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgsausqoqssyqagu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cseeawsqguikucmc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiagyymmciummeoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmisemqaoscumaae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewqcygysmeagcuau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507297/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aocosawgsqcckemq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507298/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgwiksgiceqiykce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiwqiikyyouomaqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucqmciogmkgwcwww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507301/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csmekoggssywcgiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aowoeemouumweeuo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csukwgioyqciucyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aosokkwwcayaymsi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507305/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syusqaomckmuqsos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507306/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gawemwmgeqewqksq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507307/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqyikgiqueqasoug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507308/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmygkqgseiaeaigm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507309/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yksqkqqgyygeskgm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507310/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kigqygiaewgaysey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507311/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qussywoyickmucok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507312/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiyymwmmcyyiwmwg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507313/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qugceeyoosaouiuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507272/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gawmomkwmgkyeame.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507273/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieicysyiskguwqke.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507274/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csykgcwugieguaeq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507275/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qucuksqgaecqsoaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gakaswiwqkogwysi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507277/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoiwyoewocussmqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507278/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quymmgeaqucwkaee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507279/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewamicagccowgoug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507280/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoqemcekuseweakk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507281/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cssaseqoooumoaeg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507282/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmuywomoemqkmeiu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507283/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iescioswuagcyywo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507284/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgwemkksyweymisk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507285/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qucmiyaqikqasyqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507286/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syewikiegkiuimce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507287/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quqqimyocymqmoea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507288/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"symiuqkwigskwmuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507289/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgeiesskasgysiiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507290/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quickesegkgyowgm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507291/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqoieigukymqeqio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csyykaeeksiqkksu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507252/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucweawiomsagsyco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507253/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqsksmsoeqmmkwce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507254/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieccscusyaiiwuqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507255/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmysmgegykookkka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507256/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kigaeqkqaiuqssqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507257/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucmegkceygkwegki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507258/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gacgkaayowwoukus.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507259/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syauyowceakasywk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507260/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoeqycsgqmksaocy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507261/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoioaqomysyqmkqw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507262/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykosmeqyumwgokie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmiggmccwamqkauk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507264/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgaicamiquascesc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507265/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aogukkkessskgeou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507266/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uckkuyueeggusecc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507267/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csoimgiimockasos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507268/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iegawkoqigmkosmo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507269/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syeqyouiukmaokaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507270/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kikqowocgcuaugks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507271/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saueaugmyokwoamq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saauqwkwmayyomkg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507234/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqygcccyuokycmuu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507235/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cscacicicwioyiya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507236/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqicesmeuoewcaea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507237/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaoksomukmuusiee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507238/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cssysuwckaweewou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507239/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gacuwssiiyqoiogi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507240/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uceiksakosswkswa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507241/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqgegkiskequymgc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507242/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgiyiaoosmyeukiw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507243/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gayccesowmacawmg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507244/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmkgaqikgyiyiyak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507245/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uciokqaaioegmqqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507246/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoumokeoouaaoakq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507247/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aomioeusqaygeysc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507248/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaciikwuiqwaecsm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507249/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csuugeuokkwuasks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507250/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykgioesweycimcco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507251/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwwkkaiackkskgam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507217/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mogscyqswgeqgags.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507218/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymcygkikacgeaqii.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507219/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sawcaqysqewyqgse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507220/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osueoouccgyaiukg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507221/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiicyguqyiigsiww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507222/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwycuyysemciocgc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507223/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqiskoismqokuqia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507224/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saakqkuemkgmmecc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507225/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueyecayysgkiuamw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507226/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ossywyiyyssmacmo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507227/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymseuusgeuiyoisq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507228/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcmsuiiuoauoeiek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507229/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqwiyywoiukqakge.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507230/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuuowwqyegamyakq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507231/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqcsuoaouuimkoem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507232/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sawwegsqceaqkuqo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507196/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igmqwskoucekywks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507197/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuumqkuygessskce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507198/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueyawwyskceoqkwu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507199/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymoccsumkgswoqma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507200/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sagcmcaacskyomoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507201/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkoawcqyswgwiqmu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507202/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqmiimeegyoekygg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507203/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uesseqemoggcyism.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507204/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkwcecmiwmcqcgak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507205/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkgcmeiumqicukko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507206/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcwccoqycqiisccw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507207/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwqigwioeeecwwyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507208/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sawimacymggqqyqw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507209/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osooisyysosecwgi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507210/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcqgywmwwswemcqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507211/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwgqusmewmiewqgo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507212/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiiikwywuogukekw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507213/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saeymeqoosyqseaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507214/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueyegywmcaamqeas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507215/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saegqegcgouwmmio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507216/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyoaukouccymcqqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507176/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiwuseyceqyosyqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507177/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcaegweaokgkyism.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507178/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqikoyyikwukooae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507179/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igkqosukmgucomga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507180/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cugkceywaocusgmq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507181/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymukyiwmqsmyosio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507182/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymamcwkmmckiegci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507183/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwieiwqcecoqmokg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507184/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osamwwaiqggysekq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507185/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqyoywekoumggqke.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyumksmociomuuws.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507187/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwswuiqgeisqmmis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507188/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mowggykkigowuoko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507189/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueqsisosoikowyus.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cumsmskyyoqksiyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507191/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igwawgkswsswcmem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507192/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gccquiiumyysoyio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507193/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcswqyicwgcwkwgi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507194/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igsgccaomwgoeisq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507195/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyawyewysyimgeoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mowgguauycaogyyu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igwwigqieaiwyimu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igoggeqyaocgeuag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcomuaaokemwkgmu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mogicoaegmiyascy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oseeyccycmaycuaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cukmmesyskgamame.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuqsqeiaiagiwccu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueckqiqiswkeswwo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymkwoyykomkqcgww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wikcimemkioqoygm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuwkegosicogueoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwooyyscooucwyiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cumyoyaueyqikqeg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507171/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkkuuwmqwmayaoyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507172/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osaoooagqwwumqis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507173/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uecmekckyiaskgqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507174/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuwyewoiyeeccsei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507175/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcyiguuwwoeyucku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiceoqcsgeuqsqsm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sauiosmaeayeucsk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igqsgoqgccwacwss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwqysogwegecuege.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iguskaqyycaacyoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkyogusyagksakwk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwmgkkioycuykiug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kksckyqauewccmak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saogiemgkusmgsku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueauamsyyqwuioeu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueyewuuowukqksci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osusyoosoukcougc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueyegkcaugmkigie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sauuomykmaoqoakm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcciigccymocuica.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymcqyqgysaiokmwa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igucisckuqweaiie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuooyomwmyayigqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuykuacmouueqawc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkgmqoasqsmguygc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moawecaeqiqccysk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wisseaogyyucoaqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507117/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moegwggagkgeeoaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igmsoggmmawsoaqe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gckaykeoyuamskco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osqukcgkwaumeoui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwygqegiioaswksa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osecukgiomguswaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyigwykyscyyqguk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cumouwgyoeowaawo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkqeoieueuycueqw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wikmumoekceekosq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqwoeuwymesoyoku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwgowayigaekqguy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcoooisswcuisqka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymwuuywgugimoime.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkmaaekwggwyoisk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymawukwwiaowggqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igweqocooawgammi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiesymccqumegaco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymugauoesmcksmao.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymowokkwoagckweo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqugewwcikeiikou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moqomiwgyksyksoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymkgcqwgwkgmkquc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqwgwuyuyseicoas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moomemsguckgyegk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cummgagqkggqsoyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcqckuksqcmkiiso.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oskucusoceaqoiqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mosucieucaiomqeq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymmuiqcwmyqkqygq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igwwqeqaqsaoemqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oscimswciqeomiia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wicqkwgqmqascoqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuceaqgyescmouog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osqmyeuoiiwsicsw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiouoyqauyuueomq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mockmqccoskquikq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eykomewgwamkaqem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueuwewuwecewawsi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mowgigkouugsyqec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcsagemeasuoeoii.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507081/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cumwuaiwqyiewuqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkqmqekygqaayuie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mowiiisosucukagc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wioywyioskgoqwsu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saiuoiaugcysseiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saesmmygcuywmeyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samigqgskwqoowgi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uewwwaissisugmom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qweaamkyumqywcko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mocakcswicoswysu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueaagqokiqemugsk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiysqmmscasaogkw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mowuagyucquyimku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aquoakykcmkmkgky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkmcasowaycsuyoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507064/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueakkkmucekecoeq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507065/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueusseuswswomcco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507066/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymisemygsauqwgce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moqwgsusgqyoqsui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saacgkmiimmyysug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samqkwqouwweqwew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507070/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igiuwsuugeoseqgc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507071/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkcoeeowggeuaygg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueqamuswogqsyygs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uekucocqwswgikkg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymawiackwgwiskwi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moguququgsyqwqws.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moikeaasewyomeis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eysqaaegksygkkwq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqgmkqowyegeucya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507047/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igqkkggywsqegyww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507048/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osacgswaqeamygyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqasessmgaomqggo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507050/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyqysiqgqaaewqyg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcmwksmyaywekyyu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507052/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uecymkygqouggsmg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507053/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuakcccyyceuwaea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueqkoeqyckeeegma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mocyyimikkcsuoyq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507056/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wicecmuwugakkwuc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gciwguowmqswmaok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyywoigsmawkkwem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507059/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkymogmokioicmus.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507060/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igciwmuimucukisc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwiyugwgkqqaeoik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osuwucuisaogcccy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507063/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igkyqsgswoqoqaii.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uesmqcswkqmwuume.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkkqssakcwmgwcgu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igsaqsceakskogsg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507033/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eywgqymskoqimaqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507034/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gckoesqscmkeiwsi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507035/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkyikmgsysmkawsu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507036/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wickoymmkusyqyow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507037/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mooguqwiecgmcsso.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507038/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sagkqugkismawqgq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507039/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyyismewmegmqiis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507040/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moqsqaswsoocsigu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507041/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcyuwgaeoiiqawsw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507042/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cumokccqmiycscko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507043/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyuckckkwuowucia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507044/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igyewkwyukcamiqo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507045/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igyyauyowoscqioq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507046/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiwkygceuomisyyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uekqecuguygcokym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osgwsqmuyqymswes.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"momwqywwwcwmuowu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sauqmiiqgowgiues.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507014/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eymgyceaqmuegksa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507015/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igwkwgguqamucocu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wigewcigegugggkg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcecwwucuqogmkoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcwgykwkieaykwec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymemqecgugmguaoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uemggyeccymiumgo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samksiysigaqqyoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuyiioccwosayski.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqomegoyoousikmo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507024/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkecwygmcsgmgggg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507025/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igiaamugisikessq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507026/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueykomogocgeewya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507027/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eysymummsmmcwgew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507028/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sakkkuwkaewmqqsi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymikyiwasgcywiky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506992/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sakkmgueiqymcgko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506993/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osouoaaomiuswemq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506994/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymiowiqksmuuegim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506995/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saseesasokeiceqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wikgwukgmaqiwsgy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506997/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uecaomqamcikkemu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506998/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyoacyccmsaosouk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506999/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uemgsugusssosmgu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507000/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osoiagwsqwqqccek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507001/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwcmwiiggsgswskm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507002/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueseosawmikgseki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507003/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuassmyigmkqcsmu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507004/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueegywkcokkmgwkg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igakwcecsgqkoqik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eywgsaucuioumkai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gckoaoaqkoooyums.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkkwqqqascwekowg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1507009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91507009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqaqeemmgcmuomie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506974/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwyesiwseamguyem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506975/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sakkuigwscacigqe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506976/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moawusqmquqomiqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506977/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqmwsymocqoyouoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506978/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gckoigwiscgiioyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506979/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osigoaeyoogqueam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506980/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcoaimkeuauecyqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506981/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oscueaeaigiigyae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506982/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sauomyecykmqeowa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506983/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqwiyimqsqmkwoky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506984/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osmkgcmwomimqwgy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506985/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moyayeokeuqmakko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506986/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mouskqeeogauucok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506987/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcqcisscogquqgoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506988/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samwiowousiwgqcc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506989/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyigaoimissckwgu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506990/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqawgckccyggigsw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506991/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkcawgickkcmcqkq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506956/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osugoakweuwwwoik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506957/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqqqecgqkqocuiuw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506958/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcgquqccimecmaym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506959/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueymyuceuaicwaso.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506960/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sawayucumgkowoqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506961/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiyoysayykguyyse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506962/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqekcwsukcqgseog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506963/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sakyckqsyokaqoug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506964/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eymumqgqwcgwcimw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506965/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuygamcaaksiwsum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506966/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwmoaasuqeeoqagg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506967/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osegmukeyqgswscu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506968/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymoykyyayguuewqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506969/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymomeigmoucsaegc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506970/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mokkkkkckawkooks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506971/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueeqciaayekmiaia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506972/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymwgqsikaeeigmua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506973/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moookeguyiaygoek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506940/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuyysiasyiaicioo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506941/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwwywaggacgmagcs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506942/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyiqyewugokykyem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506943/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqesayiqioeaciec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506944/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moqicaykeqaqoemu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506945/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igwquqgeqcqacywi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506946/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymikkeywwougsqwc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506947/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymgyqcoqscmwgqsi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506948/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuigesuscemeoyoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506949/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkqswaskcmkoukoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506950/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gciiogkwwgmsckic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506951/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqeysseocacqucki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506952/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eykeuqsueoemyuiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506953/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueiycmegkggssmce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506954/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moqscekemaokayas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506955/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkekggiaiycwqqey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqsmkyuuauggyqqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igimimwyokkwscga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moousyookawqoceu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymwaocomemsoakue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aquickwesooecqym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueiciwaeiwcgaqye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sawugiicmgeqqkyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506931/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sauucyyegeyokwgi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506932/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wikqawaoaqgigksy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcyaceqqysayukma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506934/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkmscgawwagsgmkq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igkgkyikiiyykiem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkouqsuqgiekquiw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mowuoqeqogguyemw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506938/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oscykaskgmoyaaum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igsicesmusakqqmy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506909/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiikymikcaksockw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506910/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saqeygokiykgqwes.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506911/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sayieycmogoiycki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506912/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eysucgaeosgwacsq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506913/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwosqycwowqysomy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506914/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcagyksoiasgeqew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506915/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueooiooumikwuiqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqioikugeucmkeiu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mogeuoeeusoiuawc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueowekmosgmqqgyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkakykgausckgmsw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cussyymwiyiqkyqo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuawgqumemgyygei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiekyscawsoaoyao.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506923/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cucaeqyuesgawyiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506894/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcquaqoekkisksyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506895/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kksacaeekkicusag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506896/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiyoomooyioumowc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506897/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkmawiqcugasomos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506898/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwmeweomkukcikio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506899/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osmykwaisackkogu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506900/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moaicskcsgywigim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506901/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osuoecmoiegeoyic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506902/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueskiaesoqwyaoai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506903/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osyeeceysguckkas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506904/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymookyoeqmyoqwsq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506905/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuukqugiwymasias.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506906/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymicweaqsyucyaco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506907/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igiuiaqqgcuqkggg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506908/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igescoiqawkekski.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506879/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wisackaqyoaeycky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506880/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuewssqoaossgsea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506881/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwwqgoowaokossie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506882/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqgsksqqqsgwimoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506883/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kksqekgeemwykicg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506884/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oswuqmegqcgiqseg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506885/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqcwowswgwwkeuqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506886/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mogswiawswqiyeaa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506887/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkqgmgwmamyiouek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506888/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymkwwquuuosecqui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506889/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eykeywgsqkewyiku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506890/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymqsgmmkgqemsggg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506891/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiwegaeceusmguqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506892/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcgsgouuqgucesyq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506893/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcacwoikcceceqgy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506866/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueyamaaqasugogao.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506867/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwqqyiiweyouesym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506868/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkckegqimsqeqiaa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506869/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkumkgocsyiewakg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506870/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqiewascseqsaaia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506871/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiasiggemsswqoww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506872/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwmqcgeqqqakyemm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506873/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwmqgauuaskeakoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506874/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymuueeuqeseygsgy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506875/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osumesouwykcqwgo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506876/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uesokgyqwagcwiwq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506877/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcousekqcssmqyim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506878/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cusaimaamqcwgcwi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506852/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymquskiqoyaqigcg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506853/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kksmgwwscwwigwsy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506854/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiakiikosukkemqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506855/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymmwioiykuywggcu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506856/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sascomucgaqwqgey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506857/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueisuqewkweoekww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506858/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cukogouimgeisage.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506859/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiiwakygmyekgcyq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506860/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiskmsoquiqqqwok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506861/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwossyymyiakaqok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506862/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oscgowougokkoycg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506863/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueyqcqysauekyiem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506864/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqwycsyokqsiueyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506865/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqiiusquuqimoiwm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506839/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mosmoiaqwuowsesw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506840/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcuksicqwqqgikgm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506841/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igoecuccaeqaeoqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506842/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wimcueegcakiceik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506843/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moscwoqsaegeaokm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506844/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mowkqsscccauoius.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506845/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuueymewkwwyysok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506846/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cugckcoikywyaick.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506847/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcyikooigwoemqmm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506848/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aquumoaccuuwmegs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506849/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igwmmcmecymkkesk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506850/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oseueysgyguoysik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506851/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wisymooimuimuwik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506826/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymesgwiksogosuku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506827/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqqyiaeosoeqseui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506828/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moewcmkskuaescwg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506829/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueqeysimucmcewem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506830/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cugyykoewyieecmw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506831/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiaqykmgmomeissu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506832/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eygoqmiwkcyuoqaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506833/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aquwaqissacuokyg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506834/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eysuuegwqoiceauu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506835/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igaycwssyoyaykky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506836/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igyquuimkuykcgag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506837/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueiiysiwiosemmeo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506838/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uesqcioymmsggkms.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506813/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueueqkkskiokaaws.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506814/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqqaumgkaqmqwisu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506815/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymcouawuqwmcqoaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506816/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osygmcmqykeqwwyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506817/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkmucociqascyqow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506818/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkgakeqowuaqwmgc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506819/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymakaiwmwimcueia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506820/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueoysieqsaeyiiks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506821/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwmywsqwqksikyky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506822/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wimqaceeamgmwcsw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506823/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyciiocuuimymywy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506824/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqkueymqymwmsosm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506825/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueuioyakwossyuaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506800/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcwamyowsgiausou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506801/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkesoymwkayuecem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506802/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiiiucoaoawowgea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506803/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkgaisgewsioycka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506804/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moqymkqmaeyccaac.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506805/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymgwkkiaiyicscye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506806/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sakgucamyewmaiiu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506807/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkaqosukemksiyka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506808/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osssmcmcwucgasci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506809/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igygsguiiemykwea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506810/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osiseuscwimcmowa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506811/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkyiykkcoaagqkos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506812/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqyisioymgkyeyaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506785/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osmqmmwwumcickgi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506786/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkieiwycwogocgsm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506787/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcuqiwwsgqgwcems.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506788/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwaskqueqkwcsimu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506789/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcsmcqgaimqwkgsq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506790/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyoaikgwgkimqcoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506791/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymcamaoqcuksecce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506792/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uemggwsyqyquekwu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506793/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eygaiuisoueacyqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506794/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igckeswyqqweycgi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506795/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igmcgaiiqcaeasck.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506796/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqumkymoyasymwoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506797/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueaqasqyygoskqyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506798/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osgyewqckokmmawc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506799/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuiqiycasuauquiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506773/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiweasymcsgwywgs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506774/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moygaissmsoaimqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506775/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cukiwsaqsuscwiyu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506776/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sasgegiswoawygig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506777/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mouuocqcueumqoim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506778/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osowuqaquiuquekm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506779/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mockiccuicskccim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506780/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqqeskukcqwgyyum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506781/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymcqqqugiameyqoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506782/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwioyseciceskusm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506783/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saqsogkekyeoooce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506784/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkygamkyqswqckuc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506758/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qweuauigcwmcoawq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506759/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eywmmequamsiooeq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506760/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mosuoqywymuuqmqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506761/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oswyygykcykogscg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506762/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igmikcascmoqsuso.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506763/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osyaqiaieksoaocs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506764/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mokciumwqykgmsie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506765/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osgkeyckcasoieki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506766/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymuqewwgsamowgcy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506767/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eywyemyaqmkwgaea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506768/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiemkoaewoommmsi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506769/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwiecowsiiqaymac.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506770/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqykyowciswumkss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506771/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcueokmuiscqicum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506772/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueisgogyccaecyoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506746/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueweowogyokowage.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506747/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiugouwimukcoiwy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506748/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ossiuyywqsoqaoiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506749/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyoeigqcammqqmou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506750/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqcuicemmessccyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506751/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyoqaaymgsqcsesk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506752/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyckgaqsogusquok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506753/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiqeugywuemgowoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506754/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymmgygcseiawecyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506755/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moscqgucsiyuguoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506756/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqeymuueoocsmgcw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506757/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueeaiggesuykicia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506735/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkeyummscoigauea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506736/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiikooeoeswwcqsg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506737/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqygcwqugoqumwkm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506738/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyumewgokysqwwiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506739/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gckccscymakwsgoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506740/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwqqqyywgokqykme.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506741/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkeyioqaqqkoqcuq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506742/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uegsmkiqckimasgu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506743/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyyeiswcwseycgio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506744/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueywciuyiiwuykyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506745/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcswwyyaisgcugew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506722/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymmyusgyuguowioe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gckwmoqiguougmes.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506724/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwawgwgauewyekiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506725/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osamqecqsokkwges.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506726/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqwcegguakmugako.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506727/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osaueksowwgggucw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506728/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkcsywccaqukiigc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506729/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyqoqswomgikuguy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506730/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uegcgmgkggmccssq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506731/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mocieegmsawumywq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506732/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqmaigukikcmiwwc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506733/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwqukwkmsueaeuki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506734/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saismegmkkomuigi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506707/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwkgwmaskqiiooaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506708/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gciousqowmyqagwk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506709/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueooiousekqauweq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506710/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oswgwkeeukqosuoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506711/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gceucoaskmcymkka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506712/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saueggiumekqgsws.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506713/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyoqmiekgsucauks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506714/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyygkwgyaaieiiae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506715/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moysmmmmowsomqie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506716/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueakgicuwcismsww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506717/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcwkqksioyiuugcw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506718/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saiekyecuaiwoqqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506719/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osswcomuksoicaai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506720/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymuiieisiqaegeau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wioikkiomqykyywi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506692/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiqscogeciqkucws.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506693/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuskamuwmakcaumu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506694/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moigqmgwkycauuao.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506695/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eymywsaqeamkyocw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506696/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcawiucsekmqiysm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506697/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iguwwauweuiwwwqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506698/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saauygiugswmiawm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506699/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqikiomaikqieiay.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506700/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqckwqyaeieiyyeg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506701/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkqsccyckgoeaccs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506702/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuoiyswmscgkcauc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506703/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuwaaukwmuwyiygu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506704/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igomkaimsquwicqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506705/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saicuksqqeaiqyay.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506706/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igymicokqiqmiiga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueayigmskqcsoyaa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcequwecoiawookc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uecqyeymsiwaccma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506678/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igmswsuuqigmwyeo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506679/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osgouamaygescuky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueuukqkmaeuskesg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqkikauusgogycuu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cukksoaowuoqiase.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mosqeeusmsieuowm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqmioueikwosmyio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqqmiugakkuywkcy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqcyuoegcsiigkmu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"momgaqwocusimmuk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gccmgogqycqsowwg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiqqoayqccwswsac.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkmyoyeemyiowcik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506691/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wikkcoquqomsqyea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igymkeoiiccagksu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506670/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwmwouuecqiogkss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506671/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqyamikkegiuagmu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506672/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wioegaoouwkcqwcq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymacykygwuykqyio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igesewawgqoeggmo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506667/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqiyggkukywcqgsw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506668/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwysciyqkywyoqye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueoswaekkwaeikwy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sagcqmumceyikqky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iggqeaacueykcyoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wieoqqigoumqyyuw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506647/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiuqsaiekymqosck.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igwogwoeageyeuck.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mowwoiyciywscucq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkwqcyuceockgews.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506651/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqkkeececsaaemgc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506652/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkwiccgkkusyuows.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwcoikwcmocqcusu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sauocgicqkmosuuk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506655/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osweemucokweasow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506656/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uekassegmwqgiiiw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506657/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osiwagyqauugqqqe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506658/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcyoyyckgogiomis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcsewwkogymsoaye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506660/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqiqkkgmwmywyomq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506661/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cusiqkwgwcqscgga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506662/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igsqcemaqwwacwky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eykuikywoqswuywy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igwigqswcqeqyssy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506665/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igiiwywkeeuyswwo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506622/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wicokkkagsucuewu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506623/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osokoaosaooisesu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506624/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uegmyuyyuoouiioc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506625/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eysyguoosukkiagw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506626/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwmomwmgmamsiqwo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506627/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymmqcakmoagkiaau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506628/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuesomkqaagsqmgc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiqooyocqkswoayg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506630/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cugogkgacmougcuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506631/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osouagqaawqeemek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506632/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eygkmcwckioosmsm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506633/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oswyakiiuiwkiagi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506634/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osuwyssiyswcimsm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506635/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uemkyumyyaeosyyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506636/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aquwewmysoiyewqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506637/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcyieuukaqgocqik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iggieuumwaiaomyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506639/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqysaiagcseuqsgy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506640/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osawecismscukeck.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gciygeewwgyiimks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506642/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiumqiowemcgkkek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwamgwegikaawecy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506601/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gckogmiicmigcamo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506602/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mooeayaokogwaswi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506603/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uemyoqcyeqkoycay.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506604/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eykksuuisuouakgu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506605/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueoikcwyeiicscik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506606/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igcqcckaaqicawmc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506607/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gckeseyommukayog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506608/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiekoeyokwiwaisa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506609/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuuaqiugqisyaqia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506610/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcgcmimiqgmuwsgo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506611/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcsmaeaycwkoaksq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506612/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mouaqgwswkquuqiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506613/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqmskeakawkooumq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqasycqiqqamwayc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506615/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eymqogsoywayqsgm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506616/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wimkygakgiyouqei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506617/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uesyiqqewsgmsiuq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506618/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sayaeiiwococsigi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506619/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueseoemeyqqwomes.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506620/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymmugqmecsecawgk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506621/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wigmswkygkekguky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506579/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osgowckqegekgqkg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506580/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqaguqayeycqayow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506581/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwgykmswcaiiuqyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506582/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueqwguquqaamiiqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506583/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcogeysegouwuiiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506584/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyswuqcioskumcmk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506585/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osqeqcusiswqueeu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506586/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymmwycaucigaiymq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506587/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkeqgmagysoqgeok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506588/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuckukwoomqsoquu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506589/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eykskkeamoqaeuuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506590/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igsgceusksewcocg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506591/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiqkaqmeggeauuqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506592/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyqeeiuciyyiaisq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506593/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqcmykouwoauqokg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506594/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkgkmeugmomouwow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506595/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eycuogueeewumccg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506596/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igiuiikuemuymquc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506597/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiesqwgmuewiqeei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506598/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kksocayumoscygyu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506599/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyyguoecaaswgeko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506600/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mokaauguauousqwu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506558/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igymukemcmqiieoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506559/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moisecowiuiygkms.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506560/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkiqmmweqsqgywys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506561/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqmoiocuqqwqgyau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osksusaakugiwacc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506563/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueueigmyooacoisw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506564/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkqiaoqmwsmiuuya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506565/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqcgkkoqiqakuqks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506566/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saqescckkgukouou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506567/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymqsemcsqmioacoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506568/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wieccekqmiiuwagy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506569/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwyegsqyeyeemaai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506570/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymsuwgwigoscskcu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506571/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kksyekgmiayimiwa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506572/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqeiokggcqkmsica.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueqocmocgaggwgys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506574/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyqauoymayquyuey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506575/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"momokiigsewysucw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506576/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymuoimaaoaeumeiw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506577/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkwkaqgeseyyueue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506578/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igucseeqsokcukas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506537/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moeiwocagiagiogm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506538/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwuukwusmwgmkcqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506539/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saoyqguoaiqoaowy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506540/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osikqwsemyyewwwc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506541/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wigqimuucykcwcis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506542/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyyykokiwgiyugau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506543/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osymgaoqsswymqmq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506544/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqiaoywmcuwaiguw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506545/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymmssoaemwesmaci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506546/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mogsueoaqgemumiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506547/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueeweuqugkuucook.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506548/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igaoaqoouaiosssm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506549/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wimkcygsmeyqaius.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506550/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igwgyouygkkggmse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506551/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igwysyasyyiciguk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506552/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moauyaiumoquoimk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506553/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkueggcgwgkqeoem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506554/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eycaeimyywockuag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506555/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saquigmgkgmskacg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506556/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sagqgyicesqmgqis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506557/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiggqyqkakeougim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506517/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mokgaeusgusqwgyq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506518/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwysoyeykcgweqyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506519/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wikimqmsgwmyawkg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506520/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqyaeiawyqqqaeyg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506521/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkaoukecoaywcuak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506522/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyieqyssssimwsos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506523/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwqgsseuyeewgsua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506524/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cumiiyemmsuegcyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506525/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gckoeocmggsmsoiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506526/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcywcgqogeumiswa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506527/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcqyouiysimqqisk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506528/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eymgsmaseoemuuie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506529/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mokequicuaqsegww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506530/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igsqgisskgweyeua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506531/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igeyiugmaecggaks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506532/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcyemuymmsskkwum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506533/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cukceqsuuesiayog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506534/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueeoeuocmmauqqgo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506535/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkaumeygiyeuqkeq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506536/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uemikyseycekqcca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506495/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eygoayiqyyiasoay.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506496/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igiigwaqceyyaqag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506497/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sakksyweywcocgae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506498/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymmekkmwusgygoui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506499/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkquccwkaoqcismu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506500/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wimsiewueyokyesk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506501/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kksukweawecqqqaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506502/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymkeikommegmmciq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506503/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueikqaqsukwawkki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506504/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiimowacsiiwowoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506505/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueoqsimimocasaao.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506506/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cukkyouyyaogyewu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506507/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyyiaiaeueeuscag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506508/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuwmiqwqwoysisae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506509/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwauyeqimqoaoyco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506510/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saugkgemyqmeucua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506511/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymqqowyiwqoukkik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506512/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqywygsqagosoekq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506513/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymkiwciwcumsuskq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506514/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cugaqyiuqguuogse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506515/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuiciwmiicywguow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506516/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcwuqcgaiqowamyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506472/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymcceicymkawsmks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506473/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osgokiimmseigksq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506474/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iggymmywkuosomoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506475/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uewqqocawmgioggy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506476/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cussuqgisogkgeiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506477/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwygiuiwcwwwqcuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506478/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyggyqagogmsagsc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506479/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igmksueeiegccysa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506480/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymeqqyecmugywkgu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506481/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"momwqkaugcsiaaau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506482/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuocumqyoeomkyum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506483/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiymskaiikwuwkaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506484/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqegsqeekogaiuue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506485/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcokmqkasyeqyeau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506486/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwgcqmgqomiseyaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506487/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osykmisyssiiyauw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506488/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saeoaceucgkkiiuq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506489/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uesmcqmwikiicwws.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506490/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkgwwoykyqqcwqcg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506491/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqmkskgsgagcucuo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506492/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueuukykemkcskskw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506493/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qweoguiwciueqcee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506494/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuqqicsaoskqecom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506450/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcceoiuqkmqkemeo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506451/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymamsykoqqiouuyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506452/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymaaoqsswwoywswa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506453/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqauoessgcomcumk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506454/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwcesqmyqqcimasg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506455/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eymgkuguyqgwocko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506456/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuaoqsukqeuascuo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506457/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igiuggcuqkmeiiuk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506458/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osokccwiioqwigmu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506459/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymuomkciwaggkumq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506460/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aquowckkikkuykee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506461/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkoqcygseweccyuc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506462/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqiewcmiaagkeqww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506463/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igwgykogosmkuyee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506464/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gckuiageuqowaooa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506465/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyusagqkmieasqok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506466/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuuwaqsakimyyyyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506467/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cumaiawuiksqamyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506468/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwiawegiqaiawcke.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506469/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moeeuesyggqaquai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506470/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcmmwmyaakwaqiec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506471/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymwswosoussegcsc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506428/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uekqymeaouukkcai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506429/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqmwkoqoykwssowy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506430/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osqwiogcccsoooym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506431/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymiougsqemmsyige.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506432/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkkqmkaggqiwiyeo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506433/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"momiamuogcmcsqiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506434/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuygmqegqywwmeiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506435/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igkiceuakwqoewek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506436/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyeucykoymqmkwms.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506437/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuiiyowccsgaiays.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506438/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gccogoeogoyicwea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506439/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymugusqaasekmqoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506440/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyskqaoekygqkcmy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506441/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kksmkwsgeiicukqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506442/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uekeycgyqguaesek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506443/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kksmsuagygccgmoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506444/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuscwuiiceuucikg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506445/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gciuwokiwgoygsse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506446/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueciaqcqwkkkouge.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506447/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igcykaeacoqiuaeg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506448/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osogswoiecqwswmm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506449/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueogumgoemyqiwew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506408/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueewyqoowcqwaqec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkicmkgssimwqkoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqeqqswiegskymsi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506411/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mommaoukaogcuays.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506412/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymggoegemamqoaqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osawgwgkioeokisq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506414/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cumaqwgoggisciai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506415/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cukgicscgqqammco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506416/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uemsqcqssikocsye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506417/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osgemmokaqmemmgu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506418/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gceywecgkowasyik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kksygiuoyouyuewg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506420/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gccguomikoccgsug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igeokugkwawsaocg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuaewsowmiiuywec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcwkgqegoaycqwca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiiokamqqmuyeuqo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506425/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwowkoemswcwigiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506426/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cucgwwismgmowquw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506427/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wieigeiuwuccwyco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506387/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymskyewgceykgwum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506388/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oscoiuiewsysyiwa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506389/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcmwsyekeqggskqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mokkwmwqcqigawyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osqeyaaoqasawqik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcymimomeacwucec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkkoqmkwkgsikkmy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuuwauqoeqygamie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kksomuwgskgmcuow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oskisccaeecgsmog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkgyiqiccwyyocak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyggyeisqwgegosm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueugoyyysuqkoykc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyyeukmuukseqycw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymqemucgckoyywaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506402/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moquemoemccayywe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506403/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueawkqwwgaywaeeq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506404/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eymigiamkwoumyqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506405/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqcccqqsskwimsau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506406/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igacmysacckqoemy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506407/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moeugioiwwgmgoic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506365/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymoysieocyaemmms.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506366/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igsueikioycqeqcs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506367/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cusqksskewoaosae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506368/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igeessakiuskymeq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506369/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wikukwuocggwuqiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506370/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igggwiqwmgqaqoie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igwciowqqucyoewg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506372/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyiskqigooimqmow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506373/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymqsgwekiuogamkq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506374/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samqeeacmkmakmok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506375/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mogiauskiguiqmew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506376/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cueiwksksyigkwuc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506377/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymccwkkaagywcyyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506378/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkqsaymsqeisiuyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506379/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saeoieooigaikqii.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uegaykccgmmkaeqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyqimummqyqiscyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506382/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqyiggiqyiqemaya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506383/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqosgceaamqgwqiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506384/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mouoyueaeemgsmek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506385/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sagskieqgqsoosca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506386/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymkmuegiyyqgkaco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506343/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sawqwmomwwwoyowk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506344/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuqwegkkkqqscios.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506345/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moeyumggekyguuic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506346/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcqsusyqcwekguqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506347/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sauaiyeieueoyewc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506348/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqeekmkkweaqiosi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506349/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mociqiyewsqasiyu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506350/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mogeqsaiiqecmkco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506351/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sacgmigaakaiwiwi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506352/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moemsaseaaoucgam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506353/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqgysakgaumciyme.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506354/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igygaumesuqegcou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506355/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcgwcmkigyugiika.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506356/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwayiqwoaygcokcy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506357/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwsikwsuygoaowyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506358/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gccwoguoswgqyksi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506359/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sakmciaaaamiqgce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506360/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueqawicougomocqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506361/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcwgckyaiegyqsyg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506362/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igyegywwiiagmuca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506363/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osimukoqwysksika.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506364/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueycqyymwcgqwaoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506321/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqaawswsosmwguse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506322/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcoiamgkuywuyeks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506323/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sakqaeygeimmcesm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506324/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqkuswswskygesom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506325/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eygcaqyayuwqkekq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506326/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkgwikaywuukmgac.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506327/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymyiowsewqomyqgu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506328/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saycsgecawqwoyoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506329/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uesoiymaqgaiqqsg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506330/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cusqqyuwciugksgs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506331/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqcauieuyumwiwwi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506332/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyweeyiwcewuqsiw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506333/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyymqaiycacyiwyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506334/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mouqgeuuemmsummk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506335/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwmewmkuacuwqaaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506336/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcgmeywmgaamwiac.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506337/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wieoouwgqwiiwaku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506338/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mokayicgmgqcqoya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506339/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saawquewwcoqiiag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506340/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwyiskucsuuwkgcq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506341/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqycwgyacswkwwuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506342/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wisgqogwcokqwyuo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymiuigscukgqceig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506301/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eymyaqcucgiekcqu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwcykkmgicssqyke.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oswsuuieeomsmqoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wisskcuqekaqygoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506305/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igaoegqgouskwqss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506306/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saqqwcoicscemeeg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506307/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymugwkqeceuygyiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506308/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sayuugegumgweyos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506309/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymuasmwymwewqaem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506310/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cusgukceemieomyq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506311/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aquuigkwaeqecyys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506312/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkceuswciqosssmw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506313/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymkauiwuweeskigs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506314/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuiooywcugiamkmk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506315/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyumayymiywgugiu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506316/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymumysucycgemmgm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506317/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cusowsuwkausgasm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506318/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwcceqiowakmwaaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506319/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyokgkyueeqaeyiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506320/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osuysicqgckikasq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506277/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcaiiokqsqiyamcw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506278/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mowyceaeuueygmwu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506279/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcyyaumsgkwcsiea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506280/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wigygmkamaweyssy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506281/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwmweigwakwgosim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506282/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuieweqgkgeumwgu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506283/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymygaieysqkiessu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506284/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymyououmaicmwaum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506285/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osemgmqugsewasce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506286/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqcmkiaagqcmyysa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506287/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osswyskkkqoismcm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506288/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iguwemoouyqgqwoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506289/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mouqkasuokiyimyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506290/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqguqqkcecgcoicw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506291/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcyaeuuggkekggom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkokoyskugogmoui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcomukegyeqegmom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymmeyyookcagukcc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcecosemysggkgqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkcaeyskyuuieymm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506297/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igqseoqqsosoymcw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506298/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkscesouyceiyyga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eymycgmwukcgkyam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506254/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osacssokguymsgqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506255/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuskswakakicmkgo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506256/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igcgkymickoeqoui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506257/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyawwqkwgkmoyymm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506258/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwusackyqcyumikq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506259/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueokyomuwwwmesmi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506260/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwyeomoakeuocago.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506261/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcgoewwmsemymswk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506262/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcasackmecgwcmwe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mosawwwswowykmkw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506264/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gciqqimqkgmiwgqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506265/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuwskoqwuqiigcwo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506266/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eygwmsmemgkuoggg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506267/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moqakuasyqkaaiuc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506268/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mooqmqgyyayiaqum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506269/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcugiceomgiayckq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506270/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sayqquyqyckmsgci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506271/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuwkysaqgyusgeww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506272/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiemoqkamqysccey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506273/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueaqwmsmcykskiue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506274/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqqoaisqmckkguas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506275/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mogyacegwwsgsoce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cumgiqoqoismwuoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mossugoygmsgscia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506234/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osqyqccqiqaacyac.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506235/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwuwuuckokosckga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506236/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igsgqygawcasqewk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506237/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyqguqwkkaoscsks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506238/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiumqqqsyusesuug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506239/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiyogmiwwoiascyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506240/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osocaiagyecciewk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506241/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuykkyimcmgkacsa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506242/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mosqoyamkkmyasma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506243/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkwsuymumkmegccg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506244/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqyeukaicqismyem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506245/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiqqasswkkaqoeik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506246/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyyukewoaacqcoua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506247/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwqeawmcqwmogeyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506248/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyeaeeeqaqcgamoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506249/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwkmaoswqwkmiqsa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506250/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uesokgsoewgkmkqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506251/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymsmseuqsumgqgym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506252/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymewikiuuaqkkaew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506253/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymumkowiemgckoqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506212/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymwcoyqsgqomugms.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506213/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiwgeyksmsumwcaa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506214/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igseseocuauegoam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506215/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sacemeqawckoqkak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506216/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcuokmweckaecyam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506217/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkqmoawqaswmuquw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506218/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymoiecyegskuciak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506219/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igaksyuisssgmwko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506220/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymwqseeoaoiwkmaa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506221/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkmeugauecigeiya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506222/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcaskqauykqqokys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506223/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eysquqgcagqaqeai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506224/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uemsaieeswoamqag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506225/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqomqiikywasqgag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506226/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiwiecqyqoikuuqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506227/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osuuqasgowgieusc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506228/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqgquqyweomgeoam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506229/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwocwiccmweegcow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506230/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqqekqciqeqcyygs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506231/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueayaeiegkkgwcuo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506232/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykuwakseeegiscyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506193/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kigeysyuqeosokyq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506194/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgcsoumqcyuiwgmw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506195/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aogqcmyuceguwkga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506196/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueqummkyismssgym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506197/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sawcwoeyeuoywusq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506198/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cusgcqmmsyqwokma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506199/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcyssyqyosmgwqcc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506200/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sasesqemyowcyoyq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506201/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcumysogoeeocmcm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506202/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcmukmeaaqceeksu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506203/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwmamiuawcomsmie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506204/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkmewwgogqkqeyaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506205/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eymoccawqoeqwiyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506206/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiweguaguwkmgwii.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506207/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueoosekyyoosuwoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506208/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiywuqaskymwcmwg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506209/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiwkiuauccoykiwg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506210/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymwwkiukyigseesi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506211/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieogiueacmkiakgy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506171/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csmuauqqoausciyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506172/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaqmeqaiciwswaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506173/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewmwaguooiqowuwm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506174/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cssiqyeikiqgcuye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506175/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quscoewiwuiakywu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506176/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykakosikueygouio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506177/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qugoqwoesqkqawgy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506178/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgkumockeckoiwiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506179/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgywackeceiiuuew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506180/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sycceaayueyiqwsa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506181/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieemwweyusauiuqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506182/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykeymwgeeswqmuim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506183/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sycmiwwmkuikyscy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506184/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewcuysmguqcmosay.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506185/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quwkcgiaeckwgqke.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykuaoeygeyiogmqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506187/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieusuagqmiosioso.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506188/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucqmuagiywkmgwgs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506189/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykuegyiauqaguugo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quuieugeiawsykou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506191/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iekseyuekqykkkoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506192/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqcsieuaawmasiai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kikeeuukamiyimqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewmkcaoogggsysek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sycwkegyiugoeyeo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kieueiscygwgmyqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgasqkeouomqmiuo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmgoeaimqwecwsce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiikiaemaqqkqgai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewekyguaeasoeusi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgesgosoqygykisq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gagueeakemmmusqe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmeemuyooyagssgo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaoeywqkamuwsyog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieuykykaacgumwik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewmmmcyqaecmcqka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgcsccwqcykoygwg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucgmqiuicemkuiwi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syyaaswemsceksuu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykoosoykagemuywc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaykogeskyoiqcam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quiicmikymcusqow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqcequsamoeiksus.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieugiicmassuqwsi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csymeqiagowymsmc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoskgwsukwkcckeq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykmkcuseyqsokemu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgecaecoqieksgsy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewqsmkaysouscsoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cskoooacaiqmaici.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewkqgcqyyeiqyyag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucaouwykkkwyogyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykaaukemqgyimyoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykgsmwsksqkcuiwk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewwkogggmawyemoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmkqmqioieweqoom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmykegwkkkkkkimi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iekcmsgcakgiykig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucemmyccskkqcmiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syqieoqwuewiccsk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syagsswyswqcygos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgmkuekuqweiyaoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gacegookkycskmcc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqigsgwqwiwckywq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieiqyuueewumaics.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quceccwkyoqcmquw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykcmyyoeceoigiqu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syukykkwyowcoygm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmeswaccwyiqgwic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aomgmkgiskwcgicw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykceisqequwwgqyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaokqskmqocgmms.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaiomqmoakigawao.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgsasmiwycwuqqgg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aosiismekqumgkwa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syoyeguywwykyium.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506117/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewwaegogwuomqiqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uckmacaamskeuwww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykgwkauoaiwgoqem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgycecquoawwiauw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewmaqeucogeuoioq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewqycqasmoccuaec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykycoakuoqmoicko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewceauukycoicqua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syckkaagukqasqyq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgaiwauksiwkocoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewmiymmmsiiiewwo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgagimwgmueswmki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cscamckawgmyueso.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqsyyakqoqwyeayg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmsemegsmemmgcgi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csukcgukkcgomums.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiygwwcoqywocgig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykseeiccmqsiucew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykwykouesigayoce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykwwemycacwymces.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqiwukiueqwccgqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmgqssiyumqciggo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoikkigmiawigokw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmegeimuiosgmigo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aowamcsauwgeswgs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgwowwsygwuuqyis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiwuggecoqoiqewi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmiausgoaosmqaem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgggikoqaeuskwce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiskwyscaueqqymq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iecwoaeykkugawou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewiciwecyakewsay.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506064/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quigmsscyseqsksi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506065/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgekywqoaquuiemi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506066/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieoykoqceuciuwio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cscskcggkyymywuc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucwccgicsceywimq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewciqioeaquckume.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506070/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iemaumiesmwecucg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506071/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kikkmquceoqqcwig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieiwccuqooaiwmkg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uccwgmoyeuomoows.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmmokoqciqsmksce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewucceswikkuiwaa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgsaqwucmksoqwyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieegcssgwmuyuqwq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqeyiqcsywcgawoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csimooiuiocqsuem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syqkoooacsesaesk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506081/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aowakqsqskeougui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gagqqaosmkokwwmo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iewmcsmquesgyiaa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewakgyqykoqecsca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506043/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieummiisyqkqwoou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506044/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieayaoqmasmokgoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506045/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewikmmukiaiswqsy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506046/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucqyuqcsumeomkqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506047/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmakwwgecaiemmms.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506048/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmysaawceigaygme.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmiagikgseiiauao.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506050/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmyqawieaaksqoca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aooucegeouskwqcg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506052/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgiigagyqccqceaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506053/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykqcygacysyuqcsq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewucoyekewkcyqmo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csmwwccmeusoigwk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506056/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quuqkyaoecucaaoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gamgaciakkgagkwa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewceqemacyyqoasm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506059/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csicqkmugkcqaokc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506060/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iesuyaasiueumkom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqkciewmmqqomumq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uckqccquyquukcci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506063/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iekowgykueeciqsa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syiqyyewkoiuwaum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eweycmikeieogguc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506024/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csyiagckaseaqwoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506025/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieaoaqekicoeugso.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506026/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quwiamuuawaquoca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506027/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoyissgciociyisc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506028/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quycekcucmicukeo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgwqaiskoawegqmk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgyiosgumgycisek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wggskucmmwwaewga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iekgkkmyocyaasoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506033/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qugkwmkgymayyguk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506034/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syuycgyasecaqosc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506035/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qusyqgwscwykimmo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506036/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqsyiqswckokugqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506037/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmkmqooowqccawes.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506038/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewqkkmeeewammwwm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506039/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qukuoiqqyuecqqgu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506040/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewcemysuyoeeawok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506041/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucywsckmygqogawk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506042/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieauqsqqkyweggsk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506000/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sygcmgqgyuyqaawk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506001/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qukqeowkykguiuog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506002/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgaqqwsgicwasgyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506003/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgssaasgiwoqmyoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506004/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kikcooeucskooikg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgesuegeyseakqaa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syqwmycmacesoasu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieikqgwscsmawsms.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quuweqmysykakqoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gauwekkgwikisaoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmosscecmwkokooi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqumaqmckskiqwua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sycumaquckcmcsaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iemwiaeqiqogckok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506014/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gauoskqskwaasgcu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506015/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iegowgsuiuyiawcu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykuaueiawkecmsag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quuqcsimcwcgyggi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gakgkiucgssoaygy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quyqgmeyqaocyamc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgaagqoumaoocqcm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1506021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91506021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqssoaweumuegueq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505979/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaywyymekwqoqsge.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505980/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykcygceqawiwkugq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505981/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csaksccsoyowioee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505982/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqkowyucisyaiywm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505983/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quqiqqwaqaqqiqca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505984/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykakqseyswuicaci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505985/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kicswcykciyiwgmg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505986/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cscuowsggeiecwqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505987/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgoacqecoaeoqioi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505988/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uceoqayiyakgyysk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505989/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quoamoaqcqgmagkw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505990/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sykmuskeyoicuesq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505991/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gasguaqqggcyskom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505992/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uccoqqqaaywsoywe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505993/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aowkcqeemeaiuqom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505994/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kimyaiqogmegyeyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505995/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csuusecyoysyemeg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csssgemkeqmgwymk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505997/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kisggkaucsyesogo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505998/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiaewgqkoccqqcyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505999/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmaauqoskmieuooe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505955/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewcoyeksogoageay.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505956/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgisyawwcqiyyqia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505957/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoiigokaqiyemkcw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505958/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqamaqoykqoqaiky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505959/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaysekeyuqmcmmqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505960/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucyeoycweycueoym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505961/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewmagqiqsumuaowu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505962/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykysucgaucmmqmuc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505963/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sykgoyoqeuwygoco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505964/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aogkseyqiuugeska.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505965/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmyociukwsyquueg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505966/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syaqwowugiswmcsu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505967/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqeyqommueuoeyck.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505968/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iegiiwugeccgeeug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505969/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gasumqiwuugciimq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505970/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gasmaqgawiuqsaga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505971/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aocaoaeywauqogai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505972/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oquswgeiwgcmqoaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505973/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmisiysowgywiuoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505974/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aokmeoamoqiyioyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505975/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qusgyaiooqmqqwww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505976/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucqgimoakwueecaa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505977/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgekyoyauqookkss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505978/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aogywkyqycsgcgac.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmeyscecmuakecyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505934/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syeisweyqyyusecm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqcecokmeckgmksg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmkykesgcogeiwci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqcoiiqoikscoyoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505938/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syikoyycqycmqgyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoomauaysqoewcwa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505940/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csaiswiuqgsgkggw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505941/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoykiuuqsmkiacuw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505942/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykcmekaqcwkeyaes.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505943/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoyeqyooiwyguqqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505944/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiiwqqcwuyycqoqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505945/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gamiaqsoeuwuuueo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505946/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucymeseqciwgagui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505947/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eweuguskcyiakquy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505948/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iemwociicokmsyiw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505949/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kimkiyskksemkoci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505950/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csaiacmokwwicsau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505951/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucssgccocgaucswi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505952/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewqimyasaaueayww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505953/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewoyqueooiuucwis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505954/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykgkwmmuiaqoiaki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505911/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewueqsgyeykqcask.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505912/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucmuyskisoamyaws.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505913/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syqueuqyeckqqymw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505914/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucwimycuakioauui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505915/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csmegcskiaiwsqae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quewkguaoockmiga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewewgauiayouuoaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iemcmqeciowekogw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewswoeamoykcgyce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"queqeqgwgcuacios.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykwoyoesisioaqwu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqiiokyeykesacyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505923/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqgwiowekcseogwm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syysquqgwmcosyeg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewiaeaeaosuimkwk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aokwcccwaawmoauw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quaqomcqymyoiwig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqqykueyiwqeucwc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quaceccgseqosgec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syyeamyiuuyiecks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505931/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaesmqaaikgwaeue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505932/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aosyiwgmqiaewesi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505891/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmmiwaksqmacyeqe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505892/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quaygywsmykscyuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505893/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucmimsouyaioyuao.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505894/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiaksimoqcmyqaua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505895/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iemkeemkkwcgycoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505896/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucuoyaamaqcmmemi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505897/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quqqkgkyasakwuqu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505898/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqogqyyacaomwosq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505899/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiusmwgmiimiuosu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505900/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmkcugsyeaekwocw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505901/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmmygicwwecooeqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505902/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykisgukqkaqcqqam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505903/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iewkcyoekgsiaqwg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505904/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iekiiemsgowewuio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505905/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wguqcouaaiykgsmo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505906/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syskoisogiyyiwss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505907/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aowkoqkqikaiuqga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505908/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewwkuicoigeiwkae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505909/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgccimwsoygcsoky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505910/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iesgeiwskmwgekqo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505872/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqkouseqekomkyyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505873/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sysqwwumcumaiiwu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505874/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqoiecqusgmmeoak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505875/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmommwikqikiiyss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505876/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csumauakwiomuqmc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505877/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oquqiykeucouissy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505878/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucsmwgeogaismgyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505879/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykywugeqqwkowsme.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505880/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgmkasuawoceqsiw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505881/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syeqsmuqqmkwigaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505882/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqcwocsaykgqyewe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505883/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykskcwaiqmoaoouq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505884/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csoyyeqqcmguwywo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505885/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaimomuuomycgggg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1505886/; target:src_ip; metadata: confidence_level 100, first_seen 2025_04_18; classtype:trojan-activity; sid:91505886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botn